Q, Qualys. 


Policy Compliance 
Getting Started Guide 


July 28, 2021 


Copyright 2011-2021 by Qualys, Inc. All Rights Reserved. 


Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks 
are the property of their respective owners. 


Qualys, Inc. 

919 E Hillsdale Blvd 
Foster City, CA 94404 
1 (650) 801 6100 


@ 


Table of Contents 


EL Sao AA AA AA 5 
SEE UP: ASSCUS nas GG 6 
Start Collecting Compliance Data ............cccssssssssssssessseeeeeeeeenseseneneeeeeeeeeeeneees 8 
COMMGUTE AUTHENTICATION: AA ANGARA NAMA Ahaha 8 
Launch: Compliance SCANS. sA NAGANA ANA AA Anand 10 
We recommend you schedule scans to run automatically ...1.maaanannaana wanna swaawaawnn 12 
How to configure scan SAT sisone intinsa onie en OOE E E E 12 
ee We e 17 
Evaluate Middleware Assets by Using Cloud Agent 2.0... cccceccesceeseeeeesseeseeneeneenteeneeeneens 17 
Define eg Da AGANG IKA AA AGA 21 
Creare VOU NI EE 21 
Add User Denned Controls aaa NAAN AA IGAGALANG AAO 26 
Database User-Defined ‘Controls: ... ana NAG Apan a imam 29 
Edit User-Defined Con 015 eege RANG EE Set 33 
Import and Export User-Defined Controls uunawa annwaanawananaswananas ns enassnansaassansnassansnanna 33 
Qualys Custom: Gontrolsin, Library POlCIES NANANA eege 34 
Manage de POMCIOS arena gd hives va co csc sines AA 35 
INA et EE 36 
Reporting Ka TEE 37 
BCEE 37 
eech eher 38 
COMO ALA AA AA APA 39 
Policy Compliance REPOST AGA AG ADAN ALENG 40 
Aumenucanon PA AP ate 40 
PONCY REPOTE prisen nie et Ae a dG ey AGE AG 41 
Mandate ee a haaa haan AA ALA nn) 42 
STIG Based EE 45 
Compliance Scorecard GE 46 
Control Pass/Fail REPOKE RA eae EE SCENE 50 
Individvial Host Compliance REPOU 2a BAG aman 52 
Managing e 53 
Tipsand TPC AA AA AA AA AA 55 
Add: AUGitor USES: Na Nh AA AL GAGANA NG AA NG 55 
Customize Frameworks for the Subscription smesso ssis na S E AES ihi 55 
Customize Technologies Tor thë SubscriptiOTk- smesni Ghie 56 


Review & Cüstomize Control Cacai anap GALANG aE o E E AN S 57 


Contact Support 


Get Started 


Get Started 


Welcome to Qualys Policy Compliance. We'll help you get started quickly so you can 
understand the compliance status of your host assets. 


Policy Compliance is available in your account only when it is enabled for your 
subscription. If you would like to enable Policy Compliance for your account, please 
contact Technical Support or your Technical Account Manager. 


Let's take a look now at the user interface. Log into your account and choose Policy 
Compliance from the application picker. 


AssetView Ki 


INFRASTRUCTURE SECURITY (7) 


Vulnerability Management 
HOA Automated Host Security Assessment and 


Reporting 


Continuous Monitoring 
(EYEE Set up monitoring and alerting of new security risks 


Certificate View 
(AA Analyse and manage SSL/TLS certificates and 


vulnerabilities 


Container Security 
[ASYA Container Security 


Secure Enterprise Mobility 
Sé Visibility, security, continuous monitoring for Mobile 
Devices and Data for enterprises 


Threat Protection 

Hal Add threat intelligence feed to your existing 
AssetView 
CloudView 

(AMEE Monitor changes on cloud platforms 


COMPLIANCE (3) 


Policy Compliance 
Define and monitor IT security standards aligned 
with regulations 


PCI Compliance 
LAYI Achieve compliance with the PCI Data Security 
Standard (DSS) 


File Integrity Monitoring 
Wo Monitor changes on file systems 


Once in the PC application, you'll see these options along the top menu: 


Policy Compliance v 


Dashboard Policies Scans Reports Exceptions Assets Users 


ECH Policies Controls Mandates Setup 
v | New x || Search | | Filters w 


(| Title Type @ Created By Created ~ 


Get Started 
Set Up Assets 


Go to Help > Get Started for some helpful first steps. 


Policy Compliance v g [bv ¥ | Logout 
Dashboard Policies Scans Reports Exceptions Assets Users 
Onine Help 
Contact Support 
` 5 Video Tutorials 

Welcome to Qualys® Policy Compliance Account Info 

Thank you for signing up for our cloud based security service for policy compliance ma eg Resources ‘ance Monitoring 

You'll find helpful information below to get started with your scans Wall e anng 


About 


Steps for a successful scan Bpo Dasha’. > 
pa @ Add IP addresses to scan > 
NG Add the IPs/ranges that you want to scan for compiance 


a @ Configure scan settings > 


Customize the various scanning options required to run a scan. These can be saved as profiles for reuse. View compliance profiles provided by Qualys or create a new profile 


Qualys Community Resources 


R @ configure authentication > 


Set up authentication records to use the authentication feature (Windows, Linux, Oracle, etc) in order to perform an in-depth assessment of your assets, 


UI Quick Tour 
PC Getting Started Guide 
Help Community 


© @ start your scan > 


re now ready to start scanning! Launch a new compliance scan or schedule your scan to run automatically or on a recurring basis. 


@ Build a policy > 
he service builds the policy for you using the host as a Golden Image. Or import a policy from the Library. Once you have a policy, gota 


Quickly create a new policy based on a scanned host. The se 
the Policy Summary to check your compliance status and run reports. 


Next we'll walk you through the steps so you can get started with running compliance 
scans, building policies and creating reports. 


Set Up Assets 


You can run compliance scans and create compliance reports on hosts (IP addresses) that 
have been added to your PC account. Select Assets on the top menu and then click the 
Host Assets tab. You'll see the hosts already in your PC account. 


How do | add new hosts to PC? 


From the New menu, select IP Tracked Hosts, DNS Tracked Hosts or NetBIOS Tracked 
Hosts. The tracking method you choose will be assigned to all of the hosts being added. 


Policy Compliance — 


Dashboard Policies Scans Reports Exceptions Assets Users 


s= Assets Asset Groups HostAssets Middleware Assets © AssetSearch = Networks | Setup 


| New || search] C) < Display Comments 
IP Tracked Hosts.. 
DNS Tracked Hosts. 
NetBIOS Tracked Hosts. 


Export All ptwork 
Download 
JS Gyan-Network 


Æ Global EC2 Network 


In the New Hosts wizard, first review the number of hosts you can add on the General 
Information tab. Then go to the Host IPs tab and enter new IP addresses/ranges in the IPs 
field. To add the new IPs to your PC account, select the Add to Policy Compliance Module 
check box. Note that you can add the same IPs to other modules in your subscription by 
selecting additional module options. 


Get Started 
Set Up Assets 


When you're done making your selections, click Add. Then click OK when the 
confirmation appears. 


New Hosts Launch Help x 


General Information: > Host IPs a 


Host IPs H Enter IPs and ranges in the field below. See the Help for proper formatting. 


ite a] Network: 
Host Attributes > You can choose any network. New IPs will be available to all networks, regardless of 
MU our selection. Custom host attributes will be applied only to the selected network. 


[ Global Default network | 


| 
|10.10.24.20-10.10.24.32 


C Add to CertView Module 


C Add to VM Module 


Add to Policy Compliance Module 


Add to SCA Module 
(ex: 192 168.0.200,192.168.0.87-192.168.0.92) 


Validate IPs through Whois 
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Start Collecting Compliance Data 


Qualys sensors collect compliance data from your assets and beams it up to the Qualys 
Cloud Platform where the data is analyzed and correlated. You can choose to launch 
scans with scanner appliances and/or install Cloud Agents. 


The Scans section is where you manage your compliance scans and your scan 
configurations. 


Configure Authentication 


Authentication to hosts is required for compliance scans using our trusted scanning 
feature. For Windows compliance scanning, an account with Administrator rights is 
required. 


The service performs authentication based on authentication records you define for your 
target hosts. Each authentication record identifies an authentication type (e.g. Windows, 
Unix, Oracle, Apache Web Server, Docker, MS SOL, and many more), account login 
credentials and target IP addresses. Multiple records may be defined. The service uses all 
the records in your account for compliance scanning. 


You'll see the authentication records in your account by going to Scans > Authentication. 
To add a new record, select the record type from the New menu. The online help within 
each authentication record describes the required inputs and setup instructions. 


Dashboard Policies Scans Reports Exceptions Assets Users 


AE BG GA KE BO AN Authentication [MISON 


Show Graph 


New v 1-160 of 160 { 


Operating Systems r 

[E] Network A Title a #IPs Modified ~ Template Record Details 
7 Network and Security 

C Giova veraur maumea ` Verst 


= Applications Apache Web Server 
© Global Default Databases. cat Details 


Details 


E Global Defauit| VMware. IBM WebSphere App Server 


ss 

E Global Default] System Record Templates. nasod Sane 1 41/11/2020 Details 

EE Kubemetes 

Siobal Default! Authentication Vaults 1 112021 a 
Global Defeats MS Exchange Server DR [atan 

8 wm 

PI Global Defauit| Download wem isal 7 41/11/2020 Details 

= MS SharePoint 

E Global Default Network Ms SQL pbb LSP 7 

Oracle HTTP Server 


E Global Default Network Apache WÍ oracle WebLogic Server ver 1 11/11/2020 Details 


4111/2020 Details 


[E] Global Default Network IBM Weg Tomcat Server } App Server [System Created] - 160005 a o 11/10/2020 Details 


ere App Server [System Created] - 160006 41/10/2020 Details 


Global Default Network IBM WebSphere App IBM Web: 


600000006000 


ET Global Default Network IBM WebSphere App IBM Web: 


ere App Server [System Created] - 160007 a 0 41/10/2020 Details 


Authentication Vaults 


We support integration with multiple third party password vaults. To use vaults, you'll 
need to first configure vault records. From the New menu, choose Authentication Vaults. 
Then choose your vault type. When the vault record appears, you'll need to provide vault 
credentials to securely access sensitive information stored in the vault. Review the help 
for your vault type (just click Launch Help in the vault record) to understand the types of 
credentials that can be stored in the vault and how to retrieve them at scan time. Each 
vault has their own set of requirements. 


Start Collecting Compliance Data 
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Once your vault record is saved, you'll be ready to configure authentication records. In the 
record, you'll choose the Authentication Vault option (or Get password from vault: Yes). 
Then choose the vault type and select the vault record you already created. For each vault 
type there will be additional information required. The information required depends on 
the vault type. Please refer to the help for your vault type. At scan time, we'll authenticate 
to hosts using credentials retrieved from your vault. 


System Authentication Records 


For several server applications you can have authentication records created for you 
automatically. Instance discovery and auto record creation is supported for multiple 
technologies, including Apache Web Server, IBM WebSphere App Server, JBoss Server, 
Tomcat Server and Oracle. See System Authentication Options to learn how to create 
compliance profiles in order to perform instance discovery and then include system 
created records in your scans. 


Auto created authentication records have the owner “System”. These records cannot be 
edited by users. (For Oracle, you do have the option to Save a system created record as a 
user record in order to edit it.) 


Perform Compliance Assessment of Oracle Multitenant Databases via 
Container Database 


Customers have the option to assess their Oracle multitenant databases for compliance 
via the container database (CDB). For this, customers simply select the option “Is CDB” in 
the Oracle authentication record. There is no need for customers to create individual 
records for each pluggable database in the CDB. 


How it works 


When “Is CDB” is selected in the Oracle record, the compliance scan will auto discover and 
assess all accessible Pluggable Databases (PDBs) within the container database (CDB). The 
assessment is performed through the CDB, which means there is no need for the scanner 
to connect directly to individual PDBs. This saves customers from having to create 
separate Oracle records for each PDB instance. Identifying the Oracle database as a CDB in 
the Oracle record also ensures the right compliance checks are performed for multitenant 
technologies. We've written compliance controls in order to assess the pluggable 
databases via the CDB. See the online help to learn more about this feature. 


Multitenant Container Database (CDB) 
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Launch Compliance Scans 


Now you're ready to start scanning using scanner appliances. Compliance scans can be 
launched on demand or scheduled to run at a future date and time. 


Select Scans from the top menu and click the PC Scans tab. Then go to New > Scan (or 
Schedule Scan). Depending on your subscription settings, you may see additional scan 
options like EC2 Scan and Cloud Perimeter Scan. In the following example, these options 
are not available. 


Policy Compliance v Ka Help w Patrick Slimmer (quays pt5) Y | Logout 


Dashboard Policies Scans Reports Exceptions Assets Users 


| (3) Scans PC Scans SCAP Scans Schedules Appliances Option Profiles Authentication Setup 
| e 


New ¥ || Search | | Fites ze | | 1-606 | ov ja 
E j Se Targets User Date - Status 
= | Schedule Scan | 
[a] eek 40.10.10.2-10.10.1 James Kodiak yan inished 
we (0.10.10.2-10.10.10.10 J 10/11/2012 Finish 
E Host D 
D era setcroup 10.10.10.12, 10.10.10.15, Patrick Slimmer 10/09/2012 Finished PI 
Se 40.10.10.28-10.10.1 
D @ FCSt ue its 10.10.10.15, 10.10.10.22, Patrick Slimmer 10/09/2012 Finished 5] 


10.10.10.54, 10.10. 
= Download 
O © Weekiyrooran-rue,rmur 10.10.10.2-10.10.10.10 James Kodiak 10/09/2012 Finished S 


The Launch Compliance Scan window appears, prompting you to enter scan information. 


Launch Compliance Scan Tum help tips: On | Off Launch Help 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner from the Scanner Appliance menu 
for internal scans, if visible 

Title My Compliance Scan 

Compliance Profile: 100371 CID 


Network: Global Default Network w 


‘Scanner Appliance: Default 


Choose Target Hosts from 


Tell us which hosts (IP addresses) you want to scan. 
@ Assets O Tags 
Asset Groups naka 
IPs/Ranges 
102.168.0.87-192.168.0.02, 192.168.0.200 
Exclude IPs/Ranges 
i= 102.168.0.87-102.168.0.92, 192.168.0.200 


FODN(s) 


ane Separate entries using commas. www.abe.com, www.xyz.com 


C Temporarily add agent addresses 
Select this option to add the IP addresses of any agents in your target when those IPs are not already in your subscription. They'll be added for this scan only. 


Notification 


CT Send notification when this scan is finished 
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Title -- The title helps you identify the scan within the application. The title you enter 
appears in the scan summary email and the scan results report. 


Compliance Profile — This profile contains the various scan settings required to run a 
compliance scan. We recommend Initial PC Options to get started. 


Network — (Visible only when the Network Support feature is enabled.) Select the 
network you want to scan. Only one network may be selected at a time. 


Scanner Appliance -- In case your account has scanner appliances, then you can selecta 
scanner option from the menu: External, scanner appliance name, All Scanners in Asset 
Group, All Scanners in TagSet, Build my list, or Default. You can select one or more 
scanner appliances for your internal compliance scans. (These same options are available 
for vulnerability scans.) 


Choose Target Hosts from — Select the hosts you want to scan. You can enter 
IPs/ranges/FQDNs and/or asset groups. When Asset Tagging has been added to your 
account then you also have the option to identify target hosts by selecting asset tags. 


Notification — Want to be notified when the scan is done? Just select the option “Send 
notification when this scan is finished” and tell us who should be notified by selecting 
distribution groups, and enter a custom email message. 


After providing your scan settings, click the Launch button. The Scan Status will appear 
in a new window. 


Scan Status (compliance/1338922535.02726) Launch Help 


Sarre Scan Information 


Option Profile Scan Title My Compliance Scan 
Launch Date: 06/05/2012 at 11:56:55 (GMT-0700) 

Targets Status: Running 
Total IPs Scanned: 
Scanner Appliance: 10.10.21.22 (Scanner 6.3.36-1, Vulnerability Signatures 2.2.144-1) 


Scan Segment Detail 


Segment1 Running (Scanner(s) actively scanning target host(s)) Duration:00:01:20 
Start Date: 06/05/2012 at 11:56:55 (GMT-0700) 
End Date: - 
Scan Running On: 


10.10.25.26, 10.10.26.198 


The Scan Status report is updated every 60 seconds until all targeted hosts have been 
analyzed, allowing you to view results in real time. The scan task runs in the background, 
so you can safely close the status window and return to it from the scans list. 


You can easily track a scan and its status from the scans list. The indicator ® appears 
next to a scan when the scan is finished and the results from the scan have been 
processed. When results are processed it means posture evaluation for the scanned hosts 
is updated and the results are available for reporting. 
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Tips: 


No data found -- If you run a compliance scan and it returns the status “Finished” with 
the message “No data found” it's most likely that authentication was not successful on the 
target hosts. Be sure to create authentication records for the systems you want to scan. 
Also check that the credentials in the records are current. 


Authentication Report -- The Authentication Report helps you identify where 
authentication was successful and where it failed for compliance hosts. For each host, 
authentication status Passed, Failed or Passed with Insufficient Privileges (Passed') is 
provided. 


More Information — The online help (Help > Online Help) and the Resources section (Help 
> Resources) describe trusted scanning setup requirements and best practices. This 
information details the account requirements for each authentication type. 


We recommend you schedule scans to run automatically 


You can schedule the compliance scan to run at a future date and time, just as you can for 
vulnerability scans. Select Scans from the top menu and click the Schedules tab. Go to 
New > Schedule Scan > Compliance. 


The New Scheduled Compliance Scan window appears where you can add the task. 
You'll notice the schedule settings are similar to a vulnerability scan schedule, except you 
enter a compliance profile instead of an option profile. 


How to configure scan settings 


Compliance profiles contain scan configuration settings that can be fine tuned and saved 
for future use. To see the compliance profiles in your account, go to Scans > Option 
Profiles. To add a new compliance profile, go to New > Compliance Profile. 


Policy Compliance v Ka Help w | Patrick Slimmer (quays pt5) Y Logout 


Dashboard Policies Scans Reports Exceptions Assets Users 


[rai] Scans | PC Scans SCAP Scans Schedules Appliances Option Profiles Authentication Setup 


Actions Y New ¥ || Search | | Filters e 1-20f2 {v 


O a Type Title User Modified ~ 
E @) Compliance Initial PC Options E Patrick Slimmer 05/23/2012 


© Compliance My Compliance Profile Patrick Slimmer 05/03/2011 


Initial PC Options 


Scan restriction by Policy 

Status Disabled 

Control Types 

File Integrity Monitoring Controls Disabled Se 


Below you'll see a sample compliance profile with initial settings provided by the service. 
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Scan Options 


The Scan tab of the profile includes settings that affect how the service gathers 
information about target hosts and how the service performs compliance assessment on 
target hosts. 


New Compliance Profile Launch Help = 


Compliance Profile Title Scan 
Scan > Performance 
Configure performance options for scanning your network 
System Authentication 
Overall Performance: Normal ke 
Additional Gontau, 


Instance Data Collection 
Scan restriction 


C Scan by Policy 


Restrict scans to controls in selected policies. You can choose up to 20 policies to scan. By default Qualys scans for all applicable controls. (This setting is not applicable to SCAP scans.) 


You can choose one policy at a time. 


Performance 


= 


The performance level selected in the profile determines the number of hosts to scan in 
parallel, the number of processes to run in parallel against each host, and the delay 
between groups of packets sent to each host. Click Configure to change the performance 
level or customize performance settings. 


Scan restriction using Scan by Policy 


When you run a compliance scan we scan for all controls in the controls list (except 
special control types listed in Control Types section - you must explicitly select these). The 
Scan by Policy option allows you to restrict your scans to the controls in selected policies. 
You can choose up to 20 policies, one policy at a time. Once you've selected a policy, all 
controls in that policy will be scanned including any special control types in the policy. 
This is regardless of the Control Types settings in the profile. 


Database Controls Types 


You can set a limit on the number of rows to be returned per scan for the user-defined 
database controls. By default, we'll return up to 5000 rows for Oracle and up to 256 rows 
for all the other control types listed. Select any control type listed to edit the limit. 


Database Control Types 


These settings apply to user-defined database controls. By default, we'll return up to 5000 rows for Oracle and up to 256 rows for all other control types. Select the control type to edit the limit. 


C MS SQL Database Check 


Set a limit on the number of rows to be returned per scan for custom MS SQL Database checks (default is 256). 
Max rows to return: 


C Oracle Database Check 


Set a limit on the number of rows to be returned per scan for custom Oracle checks (default is 5000) 
Max rows to return: 


C Sybase Database Check 


Set a limit on the number of rows to be returned per scan for custom Sybase Database checks (default is 256). 


n May “aws #retum, 
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Integrity Monitoring 


If you've created File Integrity Check controls with the option “Use scan data as expected 
value” enabled then choose the “Auto Update expected value” option in the profile. This 
allows us to automatically update the control value after a valid file change. Be sure to 
also select “File Integrity Monitoring controls enabled” under Control Types in the profile. 


Control Types & Dissolvable Agent 


There are some additional control types you can check during scanning. These are not 
included in scans by default and require additional steps to set up. For example, to 
perform file integrity monitoring you must add user defined controls that specify the files 
you want to track. To scan for password auditing controls, to enumerate Windows shares 
on your hosts, or to perform a Windows directory search, you must enable the Dissolvable 
Agent. The online help describes these features in detail. 


Which ports are scanned? 


When “Standard Scan” is selected, all ports in the standard ports list are scanned (about 
1900 ports) in addition to any custom ports specified in Unix authentication records. You 
can click the “View list” link to see the standard ports list. When “Targeted Scan” is 
selected, the service targets the scan to a smaller set of ports. This is the recommended 
setting, and it is the initial setting for a new compliance profile. 


Integrity Monitoring 
This setting applies to file and directory integrity checks configured with “Use scan data as expected value" 
When enabled, we'll update the control expected value used for posture evaluation with the actual value returned by the scan. 


C Auto Update expected value 
Control Types 

These control types are disabled by default to improve performance. Select each control type you want to include in the scan. (This setting is not applicable to SCAP scans.) 
[ File integrity Monitoring controls enabled 

C Custom WMI Query Checks 

Dissolvable Agent 

The Dissolvable Agent has been accepted for your subscription. You can now select it for this profile, and select scan features that require the Agent 

C Enable the Dissolvable Agent 


Enable Password Auditing 
Custom password dictionary: 0 entries | Configure... | 


Enable Windows Share Enumeration 
Enable Windows Directory Search 


Ports 
QO Standard Scan (about 1900 ports) D View list 
@ Targeted Scan (Recommended) 


System Authentication Options 


On the System Authentication tab, you can allow the system to create authentication 
records automatically using the scan data discovered for running instances. Then choose 
whether to include system-created authentication records in scans. Instance discovery 
and auto record creation is supported for several technologies, including Apache Web 
Server, IBM WebSphere App Server, JBoss Server, Tomcat Server and Oracle. 


To use this feature, you'll create 2 compliance profiles. One profile for instance discovery 
and record creation, and one profile for using system created records for compliance 
assessments. These options cannot be selected in the same profile. First a discovery scan 
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finds instances of the server applications that you have chosen to scan, consolidates 
instance data, and creates/updates authentication records in your account. Then an 
assessment scan uses the records saved in your account for control evaluations. Please 
refer to the online help for complete details on this feature. 


New Compliance Profile Launch Help 


Compliance Profile Title System Authentication Records 
Allow the system to create authentication records automatically using the scan data discovered for running instances. In follow up scans, compliance assessments can be performed using those system 
Scan created records. Learn more about instance discovery and system authentication records 
System Authentication D Create System Authentication Records 
By choosing this option we'll restrict scans to instance discovery and record creation for the selected technology. Unix authentication is required. Compliance assessments will not be performed for any 
technology. 
Additional 


[ Allow instance discovery and system record creation 


Instance Data Collection 


Use System Authentication Records 
When selected, compliance assessments will be performed using all active authentication records (system and user created). Instance discovery and record creation will not be performed. 
(] Include system created authentication records in scans 


Additional Options 


Click the Additional tab in your profile for configuration settings that affect how the 
service performs host discovery and how the service interacts with your firewall/IDS 
configuration. The initial settings are best practice in most cases. 


New Compliance Profile Launch Help 
Compliance Profile Title Additional 
Scan Host Discovery 

TCP Ports 


System Authentication 
TCP (maximum 20) 


7] 13 ports) D View lisi 
Para y G Standard Scan (13 ports) B 
[ Additional 


Instance Data Collection 
(ex: 1-6, 1024) 


UDP Ports 
UDP (maximum 6) 
@ Standard Scan (6 ports) D View list 


D Custom Conf 


ICMP 


O Blocked Resources 


wW prom, - HIN nan e a —~ pf 
EU Aen at T, I E [ET ET 


What is host discovery? 


This is the first phase of a scan when the service sends probes to attempt to discover 
whether the hosts in the scan target are alive and running. 


Important: By changing the default settings the service may not detect all live hosts and 
hosts that go undetected cannot be analyzed for compliance. These settings should only 
be customized under special circumstances. For example, you might want to add ports 
that are not included in the Standard port list, remove probes that will trigger your 
firewall/IDS, or only discover live hosts that respond to an ICMP ping. 
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Instance Data Collection Options 


On the Instance Data Collection tab, you can select database technologies as well as other 
OS-based applications and technologies for which you want to enable data collection 
without creating an authentication record for respective technologies. Data collection for 
the selected technologies happens on host assets by using the underlying OS 
authentication records. 


New Compliance Profile Launch Help 


Compliance Profile Title 
Scan Instance Data Collection Using OS Authentication Records 


System Authentication Select database technologies and applications to enable data collection on them by using authentication records created for their undertying host operating systems. 


0 Databases 
MongoDB 


Instance Data Collection > ome 
MySQL 


Ms SQL 
Note: If you use individual database authentication records for compliance scans, we recommend not to use this option. If you enable it, you get duplicate results in compliance reports, one using 


Additional 


database authentication records and the other using OS authentication records 


C Applications and Other Technologies 
Oracle JRE 
IBM WebSphere Liberty 


Databasess 


In case of database technologies, only OS-dependent database controls are used in data 
collection and evaluation. To see the list of available OS-dependent database controls, go 
to Policies > Controls > Search and then, in the Search dialog box, select the Instance 
Data Collection box for DB OS CIDs. The search returns the system-defined controls only. 


For data collection on MongoDB, Oracle, and MySQL instances, you need a Unix 
authentication record (with Sudo as root delegation). 


For data collection on MSSQL instances, you need a Windows authentication record. 


Applications and Other Technologies 


To select OS-based applications and other technologies, first select the Applications and 
Other Technologies box. Then pick from the applications/technologies listed. 


For data collection on Oracle JRE instances, you need a Unix authentication record (with 
Sudo as root delegation) or Windows authentication record depending on the host 
operating system. For data collection on IBM WebSphere Liberty instances, you need a 
Unix authentication record (with Sudo as root delegation). 


For the supported versions of databases as well as OS-based applications and other 
technologies, see the “Authentication Technologies Matrix” in the online help. 


These technologies are auto-discovered by Cloud Agents for Policy Compliance (PC). To 
know more, see “Middleware Technologies Auto-discovered by Cloud Agents for PC” in the 


online help. 
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Install Cloud Agents 


Qualys Cloud Agent is our revolutionary platform that supports security assessments in 
real time, without the need to schedule scan windows and manage credentials for 
scanning. You can choose to install cloud agents instead of scanner appliances for 
continuous compliance data collection. These lightweight agents can be installed 
anywhere - any host such as a laptop, desktop, server or virtual machine - in minutes. 


All agent installations are managed in Qualys Cloud Agent. We'll help you create activate 
keys, download and install agents, and activate your agents for Policy Compliance (PC). 


Log into your account and choose Cloud Agent from the application picker. 


The Cloud Agent Platform Quick Start Guide provides helpful information to get started. 
Select Quick Start Guide below your user name at any time to see this guide. You'll find 
helpful links to Cloud Agent free training and user guides. 


Cloud Agent v H Hv 


A My Profile 


Dashboard Agent Management 


Account Activity 


Home Page. 
Welcome to Qualys® Cloud Agent Platform Quick Start Guide 


Thank you for signing up for our revolutionary new platform that gives you continuous network security updates through the cloud using lightweight agents. It's easy to 
get started! 


Get started with these quick steps See your agents > 


© Cloud Agent Overview > 


jecome an expert in no time. 
Learn how it all works, what you will need and which preliminary steps you can take. 


@ Download & Install Agents > Qualya Ton Community Dosis 
53 This step will help you create activation keys and set up agents. Already have an activation key? 
= CA Platform Announcement 


Webcast - An Introduction to CA 
58m 


Getting Started Guide 


Evaluate Middleware Assets by Using Cloud Agent 


Evaluate compliance posture on your assets by assessing the middleware technologies 
installed in your environment using your PC agents. You can dynamically discover and 
assess middleware technologies like web servers in your environment. We provide you 
with two ways to quickly get started. You can either choose to enable all your agents to be 
activated for middleware assessment by default or you can activate assets individually. 


If you choose to enable by default, it will take away your need to monitor the asset list and 
then activate the asset. As soon as supported technology instances are discovered on the 
assets, they will be activated for assessment. As a part of activation process Middleware 
manifest will be installed on your agent. 


In case you choose to activate each asset individually, the manifest is installed on the 
agent once you choose to activate the asset for assessment. 
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The middleware assets and technologies installed on the assets are identified using cloud 
agents and are listed in the PC > Assets > Middleware Assets tab. There's no need to 
create duplicate controls - the controls you've already defined in your PC account for 
compliance scanning will also be evaluated by cloud agents with no action from you. You 
can continue to use your scanner to discover middleware technologies in your 
environment. 


Prerequisites 
- Qualys Policy Compliance must be enabled for your subscription 


- Qualys Cloud Agent must be enabled for your subscription 
- Cloud Agents must be activated for the PC module 

- Windows Cloud Agent 4.0.x or later 

- Linux Cloud Agent 2.8.x or later 


See the online help to learn more about the Middleware Technologies auto-discovered by 
Cloud Agent in Policy Compliance. 


Identify Middleware Assets 


Set up Cloud Agent on the assets you want to scan for assessment of middleware 
technologies. Once the assets are scanned by the agents the middleware technology 
details of assets are listed in the Middleware Assets tab. 


Here you can view details like number of instances of the technology on your asset, OS, 
Status, Update Date, etc. There could be a delay in displaying the discovered details in the 
list depending on intervals set on your Cloud Agent scans. 


Policy Compliance v Q J Help v y 


Dashboard Policies Scans Reports Exceptions Assets Users 


t= Assets | Asset Groups Host Assets Middleware Assets Asset Search Networks Setup 
New w | | Search 1-15 of 15 
CO ip Hostname os Middleware Technology Status ~ Update Date 


DO 10.10.38.102 comcent7x64-35-249 vuin.ga.qualys.com CentOS Linux 7.0.1406 TOMCAT NOT ACTIVATED 2020-07-21 21:03:03 
1 Instance Found 


O 10.115.121.100 office2016 Microsoft Windows 10 Pro 10.0.10586 (EXPLORER Successful Deactivation 2020-07-21 20:30:06 
64-bit N/A Build 10586 1 Instance Found 


C 10.115.121.99 win10-1809-153 Microsoft Windows 10 Pro 10.0.17763 MSOFFICE Successful Activation 2020-07-21 20:36:57 
64-bit N/A Build 17763 6 Instances Found 


Status types: 


Not Activated - The asset is not yet activated for middleware assessment. When a 
technology is identified by agent for first time on the asset, it is listed as Not Activated. 


Successful Activation - The asset is activated for middleware assessment. You can run 
policy compliance reports on this asset for middleware. 


Successful Deactivation - The asset is temporarily deactivated for middleware assessment 
and will be eliminated from upcoming policy reports. 
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Activate assets for middleware assessment 


When a technology is identified by the agent for the first time on an asset, it is listed as 
Not Activated. To activate the asset, select the asset and from the Action menu choose 
Activate Middleware Assessment. You can activate multiple assets at the same time. 
Once an asset is activated, the Middleware manifest is assigned to the agent and status is 
set to Successful. You can now create policies and run compliance reports on these assets 


for the middleware technologies. 


KG 


Policy Compliance v Help v Logou 


Dashboard Policies Scans Reports Exceptions Assets Users 


Networks Setup 


Asset Search 


Middleware Assets 


t= Assets | Asset Groups Host Assets 


ions ( New w || Search 


es ene ee os Middleware Technology Status + Update Date 
Deactivate Middleware Assessment 
l-35- CentOS Linux 7.0.1406 TOMCAT NOTACTIVATED 2020-07-24 22:59:23 ^ 
Clear Selections 
eweg HUEN. CO 1 Instance Found 

È 

C 10115121100” oce2016 Microsoft Windows 10 Pro No instance found Successful 2020-07-23 09:04:26 

Lp NGIPIN Pt PN, ed a 


Similarly, you can deactivate an asset for assessment using the Deactivate Middleware 
Assessment option. Once deactivated, the data for technologies on assets will no longer 
be assessed and will not be displayed in the policy compliance report. However, data 
collected before deactivation can still be viewed in the report. You can reactive 
assessment on an asset any time using the Activate Middleware Assessment option. 


Activate assessment on assets by default 


You can set the assets to be activated for assessment by default as soon as they are 
discovered. Go to Assets > Setup, click Middleware Assessment and select the Enable 


Middleware Assessment by default option. 


Middleware Assessment Setup 


Enable Middleware assessment on agents activated for config assessment as soon as the 
middleware technologies are detected on your assets. 


Enable Middleware Assessment by default 
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Sample Middleware Assessment Report 
Here is a sample Middleware Assessment report for CentOS Linux 7.6.1810 


Filey Viewr Helpr 


[| | | i ] 
= CentOS Linux 7.6.1810 ONEM PASS bi | 


Tracking Method QAGENT Controls: 
Last Scan Date: 07/14/2020 at 11:26:14 AM (GMT-0700) Passed: 400%) 
(Qualys Host ID. c3eb8b38-1028-4220-a6bf-0132d70de4bd Failed: 0 
Asset Tags: Cloud Agent, Tomcat7 8 9 Error: H 
Approved Exceptions 0 
Pending Exceptions: D 
¥ Apache Tomcat 7.x 
~ 1. Tomcat 
Y (1.1) 9422 Status of the 'ownership' of 'conf directory within web server instance 

Instance: Apache TC 7:-/optitclapache-tomcat-7.0.94 

Evaluation Date 07/14/2020 at 12:06:06 PM (GMT-0700) 

The ‘conf directory holds the information about the web server configuration files. Access to this file, will make easier for attackers to exploit the system and alter web server configuration. This setting should be configured according to the business 

needs. 

Evidence 
‘The List String value(s) of X indicates the current status of the Ownership and permissions set for the $CATALINA_BASE/conf file on the host. 
Expected matches regular expression list 
“df JE] weed * 
Actual Last updated: 07/14/2020 at 10:22:10 AM (GMT-0700) 
Joptitclapache-tomcat-7.0.94/conf:drwxt-xr-x..root:root 
> (1.2) 9473 Existence of the ‘extraneous’ files and directories (Sensitive files/Directories) Status: 
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Define Policies 


Create a compliance policy based on your organization's compliance needs, and assign 
relevant assets to the policy. You can easily import policies directly to your account from 
our Compliance Policy Library. The library includes policies that are based on popular 
compliance frameworks, including SOX, HIPAA, CoBIT and more. You can also import a 
compliance policy from an XML file. The XML file may be one that was exported from your 
account or one that was shared with you by another security professional. 


The imported policy appears in your policies list where you can assign assets to the policy 
and customize the policy settings. By default, we'll only import the service-provided 
controls in the policy. Choose “Create user defined controls” to also import UDCs. 


Once the compliance policy is in place, you can apply the policy to saved compliance scan 
results to identify whether hosts are meeting compliance requirements. The next few 
sections will guide you through the process of creating your first policy. 


Create your first policy 


Go to PG > Policies > New > Policy. 


Policy Compliance v 


Dashboard Policies Scans Reports Exception 


— oe 
Helles Policies Controls Mandates € 
New w Search | | Filters w 
Title Policy > Create from Scratch. IVE 
SCAP Policy. Create from Host 
Import SCAP Policy. Import from Library... 
Download Import from XML File. 


Get started using any of these methods: 


Create from Scratch — Follow the wizard to select policy technologies, assign assets to the 
policy, and give your policy a name. When the Policy Editor appears you can add controls 
to your policy and set control values. 


Create from Host — You'll select a host that has already been scanned for compliance, 
give your policy a name, and click Create. We’ll build the policy for you based on the latest 
compliance findings for the host. We'll add controls to the policy and organize them into 
sections. 


Import from Library — We provide many policies in our Library, including CIS-certified 
policies. Find the policy you want, click on it and then click Next to import it to your 
account. 


Import from XML File — Follow the wizard to choose the XML file you want to import and 
give your policy a name. 
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Here's a sample policy for the Windows XP technology. 


Policy Editor Tum help tips: On | of Launch Help 
Overview e 
My Windows XP Policy 
Policy Information Assigned Technologies (1) Edit Asset Groups (1) Tags (0) Edit | Hide 
Sections Technologies Controls Windows XP desktop EE XP 
393 
Status: © Active Deactivate 
Locking: da Block other users 
Last Evaluated: 04/26/2021 at 02:31:13 PM (GMT-0700) 
Created By: Rikki Smythe (quays_rs9) 
Sections 
Add Section Reorder 
Section Title 
1 OS Security Controls 
Add Controls | Copy Controls | Remove | Edit 193 
2 Access Control Controis 
Add Controls | Copy Controls | Remove | Edit 200 
agane O Evauatenov (Saves) SES 


Can I search the policy? 


Yes. Use the search feature in the top, right corner to jump directly to any section or 
control in the policy. Search by keyword or control ID. 


Policy Editor Tum help tips: On | Off Launch Help 


Overview 


My Windows XP Policy 


Policy Information Assigned Technologies (1) Edit Asset Groups (1) Tags (0) Edit | Hide 
Sections Technologies Controls Windows XP desktop assigned ip 393 contrat XP 
2 1 393 


How to assign assets to the policy 


m 


Tell us the hosts that you want to test for compliance with each policy. You can do this by 
adding asset groups to the policy (all hosts in the specified asset group are included) or by 
adding asset tags in the include list (hosts that match any or all of the specified tags are 
included). You can also specify the asset tags that you want to exclude. Hosts having all or 
any of the tags in the exclude list are excluded from policy compliance assessment. 


Policy Editor Tum help tips: On| Oft Launch Help 


Overview sa 
My Windows XP Policy 


Policy Information Assigned Technologies (1) Edit Asset Groups (1) Tags (0) Edit | Hide 


Sections Technologies Controls Windows XP desktop etlech XP 


1 393 
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Do you have PC Agent? 


You'll also see the option to include all hosts in your PC Agent license. Click Edit to edit the 
policy assets. Then select the Include all hosts with PC agents check box. 


Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have Cloud Agent? You can also include 
agent hosts. 


Choose Target Hosts from 
You can select a combination of asset groups and asset tags, and we'll evaluate the policy against all matching hosts. 


@ Asset Groups O Tags 


Search asset groups: Add All | Remove All 


View | Remove 


Hosts with Cloud Agents 
Include all hosts with PC agents 


When you run policy reports, you'll be able to identify the agent hosts in the policy by 
looking for the tracking method AGENT. 


How do | add controls to a section? 


Drill-down into a section from the home page (double-click on the section), and then click 
the Add Controls button to search for and add controls to the section. Note that you can 
only select controls that have not already been added to the policy, and the controls must 
be applicable to the global technologies list set for the policy. 


Policy Editor Tum help tips: On| om ` Launch Help 
Controls e 
< Back to Overview 

2 Controls 
< | >| 1 OS Security 193 
| Add Controls Copy Controls Reorder 1-30 of 193 [ > 
Reference # CID Statement Technologies _—_Criticality 
1 © 1045 Status of the 'ClipbooK service (startup type) 1 ETS Remove | Edit | inactivate a 
12 O 1048 Status of the Shutdown: Clear virtual memory pagefile' setting 1 CRITICAL Remove | Edit | Inactivate 
uo 1060 Status of the ‘NetMeeting Remote Desktop Sharing’ service 1 EEN Remove | Edi | inactivate 
14 O 1134 Status of ‘logon banner title' setting (Legal Notice) 1 SERIOUS | Remove | Edit | Inactivate 
15 O 1149 Status of the ‘Microsoft network client: Digitally sign communications (always) setting 1 CRITICAL Remove | Edit | inactivate 


Copy controls from another policy or technology 


Save time by copying controls along-with their settings already defined in another policy. 
Click Copy Controls in a new section or existing section in your policy. Tell us which policy 
has the controls you're looking for. Select the controls you want to copy, and click Copy. 
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Policy Editor Tum help tips: On| of Launch Help 


Controls e 
d Backto Overview 
= Controis 
<| >| 1 OS Security 193 
Add Controls Reorder 1-30 of 193 | D 
Reference # CID Statement Technologies Criticality 
no 1045 Status of the ‘Clipbook service (startup type) 1 GEST Remove | Edi | inactivate a 
12 O 1048 Status of the ‘Shutdown: Clear virtual memory pagefile' setting 1 CRITICAL Remove | Edit | Inactivate 
uo 1050 Status of the ‘NetMeeting Remote Desktop Sharing’ service 1 GE Remove | Edit | inactivate 
14 O 1134 Status of ‘logon banner title’ setting (Legal Notice) 1 SERIOUS |] Remove | Edit | inactivate 
15 O 1149 Status of the ‘Microsoft network client: Digitally sign communications (always) setting 1 ie Remove | Edit | inactivate 


Similarly, when you add a new technology to your policy, you can copy control settings 
from another technology in the same policy, another policy in your account or a policy in 
the Library. For example, let's say you're adding Windows 10 to your policy and you choose 
to copy settings from another technology like Windows 8. We will apply settings from all 
applicable Windows 8 controls to Windows 10 controls. 


How do I reorder controls? 


From the controls list, you can reorder controls using these methods: 1) Click the Reorder 
button and then type over any control number. This is an easy way to move controls from 
one section to another, for example change control 2.1 to 1.1 to move it from section 2 to 
section 1. 2) Simply drag and drop a control to a new position. Click the far left edge of the 
control row to move it. 


Policy Editor Tum help tips: On| ofm Launch Help 
Controls á 
d Backto Overview 

; Controls 
<| >| 1 OS Security 193 
Add Controls. | | Copy Controls 1-30 of 193 [> 
Reference # CID Statement Technologies _Criticality 
1 © 1045 Status of the 'ClipbooK service (startup type) 1 sERious | Remove | Edit | Inactivate a 
12 © 1048 Status of the ‘Shutdown: Clear virtual memory pagefile' setting 1 ge Remove | Edit | inactivate 
13 © 1060 Status of the ‘NetMeeting Remote Desktop Sharing’ service 1 G Remove | Edit | inactivate 
14 © 1134 Status of ‘logon banner title’ setting (Legal Notice) 1 SERIOUS |] Remove | Edit | inactivate 
15 O 1149 Status of the ‘Microsoft network client: Digitally sign communications (always) setting 1 CRITICAL Remove | Edit | inactivate 
l 


How do | edit control details? 


Drill-down into a section from the home page (double-click on the section), and then 
double-click on any control (or click Edit) to see control details. From here you can change 
the control value for any technology, add/remove technologies for the control, add an 
external reference number and customize remediation details. Use the left and right 
arrows to quickly scroll through the controls in a section. 
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Policy Editor Tum help tips: On | of Launch Help 


Control Details ~ 


< Back to Controls 


1 OS Security 


Control Number: 1.1 
Statement: Status of the 'Clipbook' service (startup type) 


CID: 1045 G 
GD Criticality E3 Edit 


Reference # Edit 

Status. Active Edit 
L Add Technology } | Remove Geet Sa 
Windows 2000 Remove this technology | Copy to Other Technologies a 


maa 
eS pana The 'Clipbook service is used to transfer Clipboard information across the LAN and is sent in clear text. The authentication required is a holdover from the 16-bit ' 


Data Exchange’ protocol, which is a ‘network’ password among systems sharing the LAN, with a default set allow READ for EVERYONE that has network access 
service is not required for any other system operations and increases system vulnerability it should be disabled unless there is a demonstrated need for its use set by the business 


Windows XP desktop 


This Integer value X indicates the current status of the Clipbook service from the Windows Registry key 

HKEY_LOCAL_MACHINE\SY STEM\CurrentControlSet\Servicesiclipsrv\Start setting. A value of 2 indicates the service is set to automatic: a value of 3 indicates the service 
is set to manual: a value of 4 indicates the service is set to disabled 

RegSubKey not found 

‘Automatic (2) 

Manual (3) 

Key not found 

Disabled (4) 


Test Control 


Remediation 
Review and verify the startup type of the 'Clipbook’ service is in line with business needs and organization's security policies 


# To configure startup type of a service follow the steps below: 

1. Open 'services.msc' 

2. Double click to open the properties of service to be configured 

3. Configure the 'Startup Type' of the service from the drop down menu. 


#Example v 


Copy control settings from one technology to other technologies 


Drill-down into the control details for any control in your policy and pick a technology on 
the left side to see the control settings for that technology. Then click the Copy to Other 
Technologies button to copy the settings from the selected technology to all other 
technologies listed in the policy for the same control. 


Note that if the control criteria is different between the technology that you've selected 
and another technology for the control (e.g. different cardinality, operator or fixed value 
options), then only the remediation value will be copied. Other control settings will not be 
copied in this case. You'll get a message on the screen that lets you know which 
technologies could not get all control settings. 


How do I add a control reference? 


You can add a reference to any control by either clicking the Add Ref # link from the list of 
controls or clicking Edit next to Reference # in the Control Details. The text you enter will 
appear in your policy reports under Control References. Note that Managers and Auditors 
can still add references (documents, URLs and text) by editing a control from the controls 
data list (go to PG > Policies > Controls). 
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Add User-Defined Controls 


Managers and Auditors have the option to add user-defined controls (UDC) to the 
subscription making them available for compliance scanning and reporting. The service 
supports Windows, Unix and Database control types. 


When defining a UDC, you must 1) provide general information for the control like a 
control statement and category, 2) specify the scan parameters that define the data point 
check to be performed by the scanning engine, and 3) identify the technologies that the 
control applies to and set the default expected value for each technology. 


To add a UDG, go to Policies > Controls and pick New > Control. 


In the New Control window, select Windows Control Types, Unix Control Types or 
Database Control Types. 


New Control 
Select the control you want to create 


Unix Control Types Windows Control Types 
Database Control Types O Registry Key Existence 
This control type checks for the existence of a user-specified Windows registry key. 


Registry Value Existence 
This control type checks for the existence of a user-specified Windows registry key value, 


D Registry Value Content Check 
This control type checks the content of a Windows registry key value. 


Registry Permission 


This control type checks permissions that are set on a Windows registry key. 


O File Content Check (Agent Only) 
This control type checks the contents of a user-specified file. 


) File/ Directory Existence 
This control type checks for the existence of a user-specified file or directory. 


O File/Directory Permission 
This control type checks permissions that are set on a user-specified file or directory. 


D File Integrity Check 
This control type checks the integrity of a user-specified file, 


D Group Membership Check 
This control type lists members of a local group. 


D WMI Query Check 
This control type executes the WMI(Windows Management Instrumentation) query. 


D Share Access Check 
This control type checks for the share permissions and the directory permissions. 


D Windows Directory Search Check 
This control type finds Windows files and directories that match your search parameters (i.e. name, permissions, etc). 


) Directory Integrity Check 
This control type checks the integrity of Windows files at the directory level and reports hash based file integrity and snapshot updates. 


Click on the type of control you want to create. Provide details for the control, including 
General Information, Scan Parameters, Control Technologies and References. (See the 
online help for complete information.) Click Create to save the new control. 


Once saved, the UDC appears in the controls list with the service-provided controls. The 
service automatically assigns the new custom control a unique CID (Control ID) starting at 
100000. Subsequent CIDs are incremented by one — 100001, 100002, 100003, etc. The new 


control is automatically included in all future compliance scans and may be added to 
policies. 
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Sample Control: Unix File Content Check 


This control checks the contents of a user-specified file on a Unix system. A Unix File 
Content Check control includes 2 regular expressions. The first regular expression is 
entered in the Scan Parameters section and is used to filter results on the target 
file/directory at the time of the scan. The second regular expression is entered in the 
Control Technologies section and is used to perform the pass/fail evaluation of the 
returned results. 


Example: 


This sample control can be used to find lines in the /etc/passwd file that end with 
/bin/bash. The settings in the Scan Parameters section instruct the scanning engine to 
first return all lines in the /etc/passwd file that have at least one character. The settings in 
the Control Technologies section instruct the scanning engine to pass the control if none 
of the lines end with /bin/bash. If at least one line in the file ends with /bin/bash then the 
control will fail. 


| 
| New Control: File Content Check Tum help tips: On |Off Launch Help 


This control type checks the contents ofa user-specified file. 


| 
General Information 


Statement * Find lines in the /etc/psswd file that end with /bin/hash 

Category: * Access Control Requirements z 
Sub-Category: * Authentication/Passwords 4 
Criticality:* @ No criticality level 


CL mm CO GI CED 


Comments: dfdsfds 


Reporting Options 


Ignore errors and set status Passed 
When selected, we'll set control status Passed when any error occurs during evaluation. 


Ignore “item not found" error and set status 
This option allows you to pass or fail the control in cases where it returns error code 2 “item not found" (e.g. scan did notfind file, registry, or related data). When 
selected, we'll add a checkbox to the control in the policy where you'll set the status you prefer Passed (default) or Failed. 


Scan Parameters* 

The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 
File path: * letcipsswd 

Regular expression: |" 

Data Type Line List 


Description: * Returns all lines in the /etc/psswd file that have at least one character. 


Edit Parameters 


Default Values for Control Technologies 


Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Pass the control if none of the lines returned end with /bin/hash 

Cardinality: * match none v Lock Cardinality 
Operator: * regular expresssion M Lock Operator 
Default Value /bin/hash$ Lock Value 


Control Technologies* 


e AIX 5.x 
Use this section to create a AIX 5.x instance of this control 


Rationale: * Pass the control if none of the lines returned end with /bin/hash 
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Sample Control: Windows Registry Permission 


A Windows Registry Permission control checks permissions that are set on a Windows 
registry key for different user groups and individual users. 


To maximize space, the Policy Compliance application assigns each permission a letter 
(A,B,C,D,...) and displays the letter instead of the full permission name. You must use the 
same mapping when setting the default expected value for the control. (See “Registry 
Permissions” in the online help for a table that maps each permission to the letter it 
represents.) 


Example: 


This sample control checks that the registry key HKLM\SYSTEM has the following 
permissions: 


The Administrators group has Full Control permission (D:E:F:G:H:1J:K:L:M) 


The Users group has Read permission (E:F:1:M) 
A user named Robert has Read Control permission (M) 


New Control: Registry Permission Tum help fips: On | Off Launch Help 


This control type checks permissions that are set on a Windows registry key. 


General Information 


Statement” Permission for MKLMISYSTEM 
Category: * Access Control Requirements 
Sub-Category-* Authentication/Passwords 
Criticallty.” @ No criticality level 


CI mm GD CE CEB 


Comments 


Reporting Options 
Ignore errors and set status Passed 
When selected, we'll set control status Passed when any error occurs during evaluation. 
Ignore “item not found” error and set status 
This option allows you to pass or fail the control in cases where it retums error code 2 “item not found" (e.g. scan did not find fle, registry, or related data). When 
selected, we'll add a checkbox to the control in the policy where you'll set the status you prefer Passed (default) or Failed. 


Scan Parameters” 


The scan parameters, or data point, indicate what location, fle, or setting for the scan to check, 


Registry Hive:* (HKEY CLASSES ROOT (HKCR) 
Registry Key: * SYSTEM 
Data Type [String List 
Description: * Return parameters set on MKLM\SYSTEM registry key 


Edit Parameters | 


Default Values for Control Technologies 


Default values are automatically assigned when you click the check box for a technology 


Rationale: * Admin group has Full Control, Users group has Read, Robert has Read Control 
Cardinality: * matches "| 7 Lock Cardinality 
Operator.” regular expression list "| E Lock Operator 
Default Value Users:E:F::M 

Robes Lock Value 
Control Technologies* 

Windows 10 

Use this section to create a Windows 10 instance of this control 
@# Windows 2000 
Use this section to create a Windows 2000 instance of this control 
Rationale: * Admin group has Full Control, Users group has Read, Robert has Read Control 
Cardinality:* matches 7 | E Lock cardinality 
Operator: * regular expression list 7 | E Lock Operator 
Default Value: Vessëti ` = 

Robert:M “1 Lock Value 
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Database User-Defined Controls 


Use the database UDC type to create custom checks by executing SQL statements on 
databases. You can also use these checks to create policy reports on databases. We 
support several databases, including MS SQL, Oracle, Sybase, PostgreSQL/Pivotal 
Greenplum and SAP IQ. We'll walk you through the steps. 


Step 1 - Add database controls 


Go to PC > Policies > Controls > New > Control. Select Database Control Types and then 
click the type of control you want. In each control you'll define the SQL statement that you 
want to execute on your database. This value can have a maximum of 32000 characters. 


Note - Only SELECT statements are supported for the database controls. For example, you 
can use the following SQL statement to list all fields from “Customers” where country is 
“Germany” AND city is “Berlin”: 


SELECT “FROM Customers WHERE Country-'Germany' AND City-'Berlin' 


Step 2 - Add database controls to a policy 


Add your database controls to a compliance policy. Tip - Make sure your policy has the 
database technologies selected in the control. If you haven't scanned yet, you won't see 
any actual data from your database in the policy when you view the control. 


Time Efficient Tip: Run a 
compliance scan without any 
policy restrictions and then add 
database controls to the policy. 
This way you already have data 
from the scan to build a policy 
and set criteria. 


Microsoft SQL Server 2016 
rat 


select * from cust. 


w) Set status to PASS if no data found 


Test Control | 


Step 3 - Launch a compliance scan 


Launch a compliance scan on the host running the database. First, edit the compliance 
option profile you'll use for the scan to set the max number of rows you want the check to 
return. Select any control type to edit the limit. 


Database Control Types 


These settings apply to user-defined database controls. By default, we'll return up to 5000 rows for Oracle and up to 256 rows for all other control types. Select the control type to edit the limit. 


Mssqi Database Check 


Set a limit on the number of rows to be returned per scan for custom MS SQL Database checks (default is 256). 


Max rows to return: 


Oracle Database Check 


Set a limit on the number of rows to be returned per scan for custom Oracle checks (default is 5000). 


Max rows to return: 


Sybase Database Check 


Set a limit on the number of rows to be returned per scan for custom Sybase Database checks (default is 256). 


Max rows to return: 


PostgreSQL/Pivotal Greenplum Database Check 


Set a limit on the number of rows to be returned per scan for custom PostgreSQL/Pivotal Greenplum Database checks (default is 256). 


Max rows to return: 
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Step 4 - Return to your policy to set control criteria 
Edit your policy using the Policy Editor to see the actual data returned by your scan. 


Microsoft SQL Server 2016 
Data for all the customers 


Check the data for all the customers 


% Set status to PASS if no data found 


Column Filters 
Criteria 1 
Column name 
Select M 


Add another column 


Test Control 


Select a column and define the expected value. This is how you set the criteria that will 
determine pass/fail status for the control. To ensure you get accurate results, make sure 
you provide appropriate Expected value for the selected Data-type. For example: If you 
select the data-type as List String then in the Expected Values field provide text value. 


Microsoft SQL Server 2016 
Data for all the customers 


Check the data for all the customers 


d Set status to PASS if no data found 


Column Filters 
Criteria 1 
Column name Data-type Operator Operator Criteria Expected Values 


CustomerName v List String Y regular expression list Y matches M 


Select 


CustomerID 


ContactName 


Address 
City 
PostalCode 


Country 


Note - The first check box “Set status to PASS if no data found” and Criteria 1 use OR for 
control evaluation. This cannot be changed. 


Click “Add another column” to add more criteria. You can add up to 5 criteria, i.e. Criteria 
1, Criteria 2, Criteria 3 and so on. 


You can choose AND or OR between each criteria. If you choose AND then both criteria 
must match to Pass. If you choose OR then at least one criteria must match to Pass. 
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Click Test Control to verify the criteria you set. Then save your policy. 


Sct status to PASS f no data found 


Colum Filters 
Criteria 1 

Column name Data-type Operator ‘Operator Grieg ‘Expected Values 
ISS w) Daag v) [repar expression stv] [matches JF 

ND Y 


Column name Data-type Operator Operator Criteria Expected values 

Tënt v) (twee w) [resterthan orequl ta W) [mana v] [0 ] 
Le vd 

Criteris3 Remove 

‘Column name Datatype Operator ‘Operator Criteria Expected Values 


[corey w) (tsong v) [string mt SI [can GC | 


‘Acs anamar column 


e= en Hen Gn) 


Instance. [MSSQL 2016:1:1435:-MSSQLSERVER: master x 


Control reeutt: EE The expected valus does maton tne configuration gathered from tne target. 
You may change both the target and the expected value and click Evaluate agan. 


Actual 
‘Check the data for al te customers 
Last updated: 0607/2018 at 16:10:07 (GMT-0700) 
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Step 5 - Run a report 


You'll see PASS or FAIL status in your report like with any control. If the columns retumed 
by the most recent scan are different than previous scans then you'll want to edit your 
policy to modify the criteria selected for the control. 


(1.3) 100190 SELECT * FROM Customers ORDER BY Country DESC Sous tss | In this sample 
= séin report, the expected 
Soe i 
PA value matches the 
wee actual value, 
=a PAA jE Aba 
on CE resulting in status 
hah PASS 
‘OR any of tne elected values below: ki 
an 
‘Actuat Last updated: 06/07/2015 st 16:10:07 (GMT-0700) 
CustomerD Customerkame ContactName ` Address city PostalCode Country 
SE E 
zB SE EE 
— SE Sr ma s 
ER Ee Ee 
Se 
dese ee EE 
SE = —— CA EC 
a a a 
leet — Se — E SS 
= = = 
= 
Scan Parameters: 
SE 
Expected match at greater than or equal to 
Ge 
- 
‘Actual Last updated: 06/07/2015 st 16:10:07 (GMT-0700) 
CustomeriD Customerkame ‘ContactName ‘Address City PostalCode Country 
raat E SE a EE 
= ‘art a =e 
a Bn CT Se JE 
i—_ Ee EN 
Á a ee E 
SE E EE 
SE = oes Cr CC 
a Ca Ca a a 
Ta. See at — 
i e eee se 
p 
Scan Parameters: 
nay A ipo Ga 
Expected matches iist 
ppe 
= 
‘Actual Last updated: 06/07/2015 st 16:10:07 |GMT-0700) 
SSS SE HAS 
pene Teen a a SE 
E E na e 
es Bi a Wee s 
LE Se SS 
EE eeler e 


Common Questions and Sample Queries 


Please refer to the online help for answers to common questions as well as sample queries 
and the results from those queries for each of the database control types. 
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Edit User-Defined Controls 


Managers and Auditors can edit controls. Unit Managers may be granted permission to 
edit user-defined controls (UDC). Go to PC > Policies > Controls, select a control and 
choose Edit from the Quick Actions menu. 


For a user-defined control (UDC), you can edit the control statement, category, comments, 
reporting options, scan parameters and their description, control values (which are used 
to calculate the expected values), control technologies, and references. When Control 
Criticality is enabled for your subscription, you can change or remove the criticality level 
assigned to the control. (To know more about control criticality, see the online help.) 


After you edit a UDC, to use the modified values in data collection and evaluation, run a 
fresh scan and generate a new report. 


Import and Export User-Defined Controls 


Manager and Auditor users have the option to import and export user-defined controls in 
XML format. Other users can export user-defined controls if they have the “Manage 
compliance” permission; these users do not have permission to import controls. 


Tip: The schema ImportableControl.xsd is used to import and export user defined 
controls. You can find a description of this schema in the online help. 
Export User Defined Controls 
To export user defined controls: 

1 Goto PC > Policies > Controls. 

2 Use the check boxes to select user defined controls you'd like to export. 

3 Select Actions > Export. 
The selected controls will be saved in an XML file named “control export yyyymmdd.xm1” 
using the schema ImportableControl.xsd. A maximum of 500 controls can be exported. 
Import User Defined Controls 
To import user defined controls: 

1 Create user defined control(s) using the schema ImportableControl.xsd. 

2 Goto PC Policies > Controls. 


3 Select New > Import from XML file and select the XML file with your user-defined 
controls. 


Note: If a control exists in your account with the same scan parameters as control(s) being 
imported, the service assigns the DESCRIPTION parameter of the existing control to the 
DESCRIPTION parameter of all imported controls with the same scan parameters. 
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Qualys Custom Controls in Library Policies 


Library policies provided by Qualys may include a control type called Qualys Custom 
Control (QCC). With this new control type we can quickly provide to users new controls 
that are similar to user-defined controls (UDC). Once added to your account you can copy 
any QCC to make your own UDC that you can customize the controls to meet your needs. 


Import a Policy from the Library 


Go to Policies > New > Policy > Import from Library. Choose a policy and click Next. If the 
selected policy includes QCCs you'll see the option Include Qualys Custom Controls. This 
option is selected by default and is recommended. Click Create to import the policy and 
the add the QCCs. Simply uncheck the option if you don’t want the QCCs to be imported. 


Create a New Policy 


aS Policy from Library: Choose from one of the policies in our library. 
Give your policy a name. The policy name will appear in your policies list for quick identification. 
For Example: CIS Windows Server 2003 Benchmark v1.2 


Name your policy REQUIRED 


Library policy 


HI Activate this policy 


Your policy will be available for scanning and reporting. Clear this check box to activate the policy at a later time. 


ta 
Ko 


The QCCs added from the policy appear on your controls list. The Type column shows QCC 
for each Qualys Custom Control. You can make a copy of any QCC to create a UDC that 
you can customize to meet your exact needs. Just choose Copy from the Quick Actions 
menu and then confirm the action. The new UDC appears on the controls list where you 
can edit it. 


Export a Policy with QCCs 


When you export a policy you will see the option Include UDGs and QCCs. By default we 
include all service-defined controls in the policy. Select this option to also include user- 
defined controls and Qualys custom controls in the policy. 


Export Compliance Policy 


You have chosen to export the policy "Library Policy" 


Export Format: * Extensible Markup Language (XML) pi 


béi Include UDCs and QCCs 


By default we'll include all service-defined controls in the policy. Select this option to also include user-defined controls 
and Qualys custom controls. 


Please note the following: 


1. All sections of the exported policy may be edited except for the evaluation criteria for each control (the EVALUATE tag). This tag may be 
removed if you want to later import the policy with default values from the controls library. 


2. Policy exported in CSV format may not be used for import. 
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Manage Your Policies 


Go to PC > Policies to see all the policies in your subscription. From here you can view and 
edit policies, export policies, and change the policy status (active/inactive). 


PETS Policies Controls Mandates Setup 


Actions (1) V New w || Search | | Filters v 
|_| Title 


My Windows XP Policy 


Deactivate 
Lock 


Evaluate 


How do | export a policy? 


Choose Export from the Quick Actions menu and select a format (CSV or XML). You can 

include user-defined controls (UDCs) along with the service-provided controls when you 
export a policy from your account to CSV or XML. Exporting a policy lets you quickly and 
easily share it or compare it with other policies you may have. 


How do | import a policy? 


You can import a policy from an XML file including user-defined controls (UDCs) or 
directly from the Compliance Policy Library. Once a policy is imported, you can customize 
the policy to suit your needs (unless it is locked). Just go to New > Policy, select either 
Import from XML File or Import from Library and we'll walk you through the steps. 


How do | lock a policy? 


You can lock a policy so that you can restrict other users from updating it. Simply, 
navigate to Policies > Policies and select the policy you want to lock. Select Lock from the 
Quick Actions menu. You can use the Actions menu to lock multiple policies in one go. 
Similarly, you can unlock a locked policy. Policies must be unlocked to enable editing. 


Tell me about locked policies 


Locked policies may be imported for certification purposes. For example, the service 
provides locked policies for testing compliance against specific CIS benchmarks. These 
policies have been reviewed and certified by CIS (the Center for Internet Security). You can 
import a CIS-certified policy from the library into your account, assign relevant assets to 
the policy and then use the policy to certify that you are meeting all requirements 
outlined in the CIS benchmark. 


Tell me about policy status 


Every policy in your account will either be active @ or inactive . Inactive policies 
will not be scanned or reported on. You can make a policy inactive by simply choosing 
Deactivate from the Quick Actions menu. (Then activate it later by choosing Activate.) 
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Why make a policy inactive? You may want to hide a new policy while you're working on it 
and then publish it at a later time. Or let's say a policy has become out of date and you 
want to edit the policy before republishing it. In such cases you mark the policy inactive 
and make the required changes. Then activate it when you're done. 


How do I evaluate policy? 


Policies are evaluated when new scan results are processed for the hosts in your policy. 
You can also start policy evaluation when saving changes to a policy or anytime from the 
policies data list. Simply select the Evaluate Now check box before you click Save in the 
Policy Editor. From the policy data list, select any policy and choose Evaluate from the 
Quick Actions menu. To evaluate multiple policies at one go, select the policies and choose 
Evaluate from the Actions menu above the list. 


Mandates 


Mandates are regulatory or good practice standards, compliance frameworks etc. designed 
by government organizations. We provide a set of pre-defined mandates which you can 
use to generate mandate based reports. To view mandates, go to PC > Policies > Mandates. 


BAG AG GG Mandates 


New v | | Search 1-20 of 30 >| ev 


Title Requirements Version Publisher Released Date Last Modified Date + 
] CIS Controls 20 Ver7.1 Center for Internet Security (CIS) 09/28/2020 09/29/2020 

[E Cybersecurity Maturity Model Certification (CMMC) - Maturity Level 5 17 v1.02 (18 March 2020) US Government - Office of the Und... 09/23/2020 09/24/2020 

E) Cybersecurity Maturity Model Certification (CMMC) - Maturity Level 4 17 v1.02 (18 March 2020} US Government - Office of the Und... 09/23/2020 09/24/2020 

[E] Cybersecurity Maturity Model Certification (CMMC) - Maturity Level 3 17 v1.02 (18 March 2020) US Government - Office of the Und.. 09/23/2020 09/24/2020 
] Cybersecurity Maturity Model Certification (CMMC) - Maturity Level 2 15 v1.02 (18 March 2020 US Government - Office of the Und.. 08/23/2020 09/24/2020 

[E] Cybersecurity Maturity Model Certification (CMMC) - Maturity Level 1 6 v1.02 (18 March 2020) US Government - Office of the Und... 09/23/2020 09/24/2020 
] Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Pr. 6 Issue Date: 6 Aug, 2019 Monetary Authority of Singapore (... 06/28/2020 06/29/2020 


E) NIST 800-53 (Special Publication) Revision 4 26 Revision 4 (April 2013) National Institute of Standards and... 12/21/2015 05/31/2020 bd 


What all can I see in the mandates? 


A mandate has a set of requirements which may include one or more levels of sub- 
requirements. These requirements contain control-objectives and the control-objectives 
have sub-control-objectives or controls. 


Can | edit mandates? 


No, the mandates are pre-defined and cannot be edited. However, you can download the 
mandate or view the mandate. 


Download a mandate 


Go to PC > Policies > Mandates choose New and select Download. Select the download 
file format and click Download. 


Report on mandates 


You can easily generate a report directly from the Mandates tab. Simply select one or 
more mandates and from the Actions menu select Generate Report. See Mandate Based 
Reports. 
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Reporting Overview 


A policy compliance dashboard and specialized policy compliance reports provide 
compliance status information for the hosts in your account, based on the results 
returned from the most recent compliance scans. These reports help you determine 
whether hosts are compliant with the policies in your account. 


Dashboard 


The policy compliance dashboard provides a summary of your overall compliance status 
across all policies in your account. It displays the top failing policies broken down by 
technology or by criticality so you can prioritize your compliance efforts. From the 
dashboard, you can drill-down into a policy summary report for any policy listed, make 
changes to upcoming schedules, view compliance reports and more. To view the 
dashboard, select Dashboard on the top menu. 


Dashboard Policies Scans Reports Exceptions Assets Users 


Dashboard Evaluated policies Evaluated hosts Evaluated controls Your last scans 


Last Updated: Friday, 30 Jun 2017 141 591 2981 PC Scan 


23 Jun 2017, 00:31:09 


NIA 
17 Jun 2017, 02:32:13 


class c 

17 Jun 2017, 02:31:13 
UDC FIM scan 20170616 
17 Jun 2017, 02:28:14 


HNC FIM eran 2N47N848 


Top Failing Policies 
by Technology by Criticality 


e 


Your upcoming scans View all 


Ee 
HPUX Oracle Solaris RedHat Solaris RedHat Solaris Windows Windows Windows 
11.iv2 10g 10.x Enterprise 9x Enterprise 8.x XP 2000 2003 Schedule a Scan 
Linux 3/4 Linux 5.x desktop Server 


No upcoming schedules. 


L 
Title d Title ili 
Windows 2008AD Chiharu AND/OR/NOT Latest reports 
Windows sys UDC Oracle 
Change in Datapoint values Policy Evaluation end-to end 
Windows XP host to remove Demo 


UDC policy ALL DP 


You can also view all your Policy Compliance Summary for an asset in the Compliance tab 
of Asset View. You can see the compliance policies each asset is associated with and how 
the policies are doing in terms of secure configuration controls on each asset. 


Simply navigate to AssetView > Assets tab, select an asset and click View Asset Details. 
Locate the Compliance tab to view a detailed compliance summary for that asset. 
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Policy Summary 


The Policy Summary provides a one-page summary of your compliance status for a 
specific policy in your account. You can view the Policy Summary from the Reports section 
(Reports > Policy Summary) or link to it from the PC Dashboard (double-click any policy 
title under Top 5 passing policies or Top 5 failing policies). 


At the top of the page, select the policy you're interested in from the Policy menu. When 
you link to this page from the Dashboard the policy is selected for you. You can change the 
policy selection at any time to report on a different policy in your account. You can also 
change the trend duration selection. Your selection determines the number of days (7-90) 
included in the trend graphs. Note that trend graphs may show aggregate data when a 
longer time frame is selected. 


Dashboard Policies Scans Reports Exceptions Assets Users 


i= Reports Reports | Schedules ja Control View Templates Setup 


Summary 


Policy: |My Windows XP Policy |v Evaluated controis Control instances 
Evaluated hosts: 4 


Trending 


PassiFaillError  Controls/Hosts 


Top Failing Hosts 


10.10.24.84 


Did you know? 
You can run interactive compliance reports directly from the Policy Summary. 


Select the IP address for any host listed under “Top Failing Hosts” to run the Individual 
Host Compliance Report for the selected host/policy. 


Select the control title for any control listed under “Top Failing Controls” to run the 
Control Pass/Fail Report for the selected control/policy. 
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Control View 


You can view and search for information, across all controls in your subscription making 


it easier for you to navigate your compliance data. Create and save search queries as per 
your requirement. 


Note: 
- Records will be displayed in Control View when there is some search criteria. 


- You ll need to run compliance scan to view history for control status changes. 


What are the steps? 


Go to Reports > Control View and do one of the following: 


Option 1 - Start typing search criteria [Posture, Technology, Criticality, etc] in the text box. 


‘= Reports | Reports Schedules 


Policy Summary Control View S 


Templates 


Saved Searches v 


Posture Fail w Criticality SERIOUS w |x Technology 


(JAK 5x 
(JAK 6x D 
g [JAIX7x 
CiD a Statement Criticalit — 
] Apache HTTP Server 2.2.x 
Current content ofthe logon banner x 
1111 (Windows/UnixLinux)/Permissions (SERIO! E a arabea 
set for the Jetcissue' file (Unix/Linux) ] Apache Tomcat 6.x 
Shell logon banner in 'etcissue.net / Apache Tomcat 7.x 
Gamm 1112 Permissions set for the Vetc/issue.neť = 
ma E CSF) cenos 4x 
Status of the contents of the ‘login O Centos 5x 
3778 banner (Windows/Unix/Linux) SERIO! M Centos 6.x 


Option 2 - Click the expand button, select search criteria and click Search. 


‘== Reports 


Saved Searches v 


O 


Posture 


Control 


Criticality 


Technology 
Policy 
Asset Group 


IP 


e aa 


Reports Schedules 


@ Fail 


CRITICAL 


AIX 7.x 


Apache HTTP Server 2.2.x 


Policy Summary 


Control View 


Error 


sé MEDIUM 


4. 


Can I save my search filters? 


Yes, click Save in the top right comer to save the search filter. You can even mark your 
most commonly used search filters as Favorite. Favorites are displayed in the Saved 
Searches list. A yellow star is shown to identify if a saved search filter is marked as 


favorite. 


How do I share my saved searches? 


When you save a search filter you can choose to share it with other users. You can also 
share a saved filter later from Search Action in the top-right corner. A shared search is 
identified with a blue share icon. 
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Can | edit my saved searches? 


Yes, you can easily add or remove criteria from a saved search. You can either save 
changes to the same search or click Save As in the top-right corner to create a new search 
filter. 


Tell me about the columns that show history for control status changes 


First Fail Date - The first scan date when the control was reported as Fail. If the previous 
status was Pass then this is the date the status changed from Pass to Fall. 


Last Fail Date - The most recent scan date when the control was reported as Fail. 


First Pass Date - The first scan date when the control was reported as Pass. If the previous 
status was Fall then this is the date the status changed from Fall to Pass. 


Last Pass Date - The most recent scan date when the control was reported as Pass. 


Previous Posture - The compliance status (Pass or Fail) for each control before the most 
recent compliance scan. 


Policy Compliance Reports 


All policy compliance reports are based on the most recent compliance scan for each host. 
There are template based reports and interactive reports. Once generated, template based 
reports are saved to your reports list. Interactive reports are not saved. 


To create a new compliance report, select Reports from the top menu, click the Reports 
tab and select the report you want to run from the New menu. 


| Policy Compliance v 


Dashboard Policies Scans Reports Exceptions Assets Users 


Lili Reports Reports Schedules Policy Summary Control View Templates Setup | 


| New w | | Search | | Filters w 


C View Report T Compliance Report > Authentication Report jed Report Template | 
SCAP Report > Policy Report | 
Download... Interactive Report 


Scorecard Report 
Mandate Based Report 
STIG Based Report 


Authentication Report 


The Authentication Report indicates whether authentication was successful for scanned 
hosts. If authentication to a host is not successful, then no controls can be evaluated for 
the host and no compliance data can be collected for the host. If authentication to a host 
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is successful, then the host can be evaluated for compliance. The Authentication Report 
uses a hidden report template provided by the service. This template cannot be viewed 
from the report templates list. 


To run the Authentication Report, go to New > Compliance Report > Authentication 
Report. Select a report format, report source (certain business units or asset groups), and 
choose whether to display the Summary and/or Details section. Click Run. 


Sample Authentication Report: 


My PC Authetication Report - 20170630 
June 30, 2017 


Report Summary 
|Created: 06/30/2017 at 15:08:29 (GMT+0530) 
|Company: Qualys 


Summary 


Asset Groups Summary 


|Windows XP: 4 of 10 40% Successful 
o 
6 


| 
DNS host: 2016 33% Successful 
Jo 


Results 


Windows XP 4 of 10 (40%) 


Not Attempted 


HOST |HOSTTECHNOLOGY INSTANCE [status CAUSE 

10.10.10.141 (winxp.vuln.qa. - - NotAttempted There are no records set up 
qualys.com, WINXP) for the host type. 
10.10.24.93 (xpsp2-24-93, H H NotAttempted There are no records set up 
XPSP2-24-93) for the host type. 
10.10.24.182 (wxp-cf9-24-182, - H NotAttempted There are no records set up 
WXP-CF9-24-182) for the host type. 


Policy Report 


= 


The Policy Report provides compliance status and trend information for a specific policy. 


mi 


The Policy Report requires a policy report template. The template settings determine the 
layout and organization of your report, the trend duration for trend graphs, and the list of 
frameworks that may appear in the report. The service provides the “Policy Report 


Template” to help you get started. You can use this template as is or customize the 
settings. 


To run the Policy Report, select New > Compliance Report > Policy Report. In the New 
Policy Report wizard specify your policy report template in the Report Template field. 
Choose the policy you want to report on. Under Asset Groups you have the option to run 
the report on all asset groups in the policy or to select specific asset groups in the policy. 
Click Run. 


Sample Policy Report: 
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This sample shows the Report Summary section of a Policy Report. The report lists hosts 
relevant to the policy with the controls tested on each host and the passed/failed status 
for each control. For each control, you can expand details to see the expected value as 
defined in the policy and the actual value returned when the host was last scanned. 


My Policy Report 
Filey View» Help» 
| 
Report Summary 
Policy My Windows XP Policy Template: Policy Report Template 


| Policy Locking u 
dified: D 


Asset Groups V p 


t 12:40:45 PM (GMT-0700, Technologies 


1 (Windows XP desktop; 


Pc Last Evaluated: 05/10; it 12:43:06 PM (GMT-0700) 
PC Agent IPs No 
Total Passed Total Failed Total Error Total Control Instances 
784 (98%) 16 (2%) 0 800 
Approved Exceptions Pending Exceptions Active Hosts Controls 
0 0 4 200 


The following pie charts display the number of control instances and their states at the time this report was generated. 


PassiFail/Error Summary Pass/Fail/Error and Exceptions Summary 


TH Passed 98.00% (784 of 800) 

BW Failed 2.00% (16 of 800) 

Il Passed 98.00% (784 of 800) Error 0.00% (0 of 800) 

BW Failed 2.00% (16 of 800) Il Passed with Exceptions 0.00% (0 of 800) 
Error 0.00% (0 of 800) I Failed Pending Exceptions 0.00% (0 of 800) 


Pass Criticality Summary Fail Criticality Summary 


I URGENT 4.34% (34 of 784) 
Il CRITICAL 35.71% (280 of 784) 
PR SERIOUS 27.55% (216 of 784) 
E MEDIUM 31.89% (250 of 784) 
PS MINIMAL 0.51% (4 of 784) 


Ill URGENT 37.50% (6 of 16) 
Hl CRITICAL 25.00% (4 of 16) 
Il SERIOUS 25.00% (4 of 16) 
E MEDIUM 12.50% (2 of 16) 
I MINIMAL 0.00% (0 of 16) 


ae 


Mandate Based Reports 


The Mandate Based Report helps you view the compliance posture of the organization in 
terms of the underlying Security baseline against selected Mandates. You get a 
harmonized report on one or more compliance policies and mandates. 


You can choose any mandates/standards you want to comply with (or even the sub- 
requirements from multiple mandates to create a Union of the total requirements) and 
get a view of compliance posture in terms of their selected policies. 


= 


The Mandate Based Report requires a Mandate template. The template settings identify 
the sections you want to include in the report. To create a custom Mandate Based 


Template, go to Reports > Templates and select Mandate Template and configure the 
report template settings. 
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You can group the report in two ways: 


Group by Mandates: generates the report so that information is grouped to flow as per the 
selected mandates. This works great when generating a report for a single mandate. 


Group by Control Objectives: harmonizes the overlapping requirements of the mandates 
and that mandate related control objectives. The information in the generated report is 
grouped to flow as per the control objectives. This grouping works best when you are 
generating a report for multiple mandates. 


m 


To run the Mandate Based Report, click the Reports tab and select New > Compliance 
Report and select Mandate Based Report. 


Dashboard Policies Scans Reports Exceptions 


nili Reports Schedules 


Policy Summary 


v | | New w || Search| | Filters ze 


C View Report T Compliance Report > Authentication Report led Repoi 
| 


| SCAP Report > Policy Report 
Download... Interactive Report 
1 Scorecard Report 
Mandate Based Report 


STIG Based Report 


Add mandates, select policies and choose assets you want to get information from, in your 
report. 


New Mandate Based Report Launch Help 


Report Info Man dates 


Mandates > Select mandates (maximum 3) 


Policies Add mandates: |Search... Add All | Remove All 


Report Source 


EN CIS Critical Security Controls (Top 20 v6) View | Remove 


Depending on what you select in the report layout while creating the custom mandate 
based template, a report is generated. 
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Mandates: CIS Top 20 Critical Security Controls (Top 20 v5) v5 
CIS Critical Security Controls (Top 20 v6) 


Policies: CIS Benchmark for Microsoft Windows Server 2012 R2, v1.1.0, [Scored, Domain Controller] v.1.0 
CIS Benchmark for Microsoft Windows 10 Enterprise RTM (Release 1511), v1.1.0 [Scored, Level 1 and Level 1+ BitLocker] v.2.0 


Asset Selection: ` Al Assets in Policy 


Template: Mandate Template 
Report Summary 
Mandates Requirements Mandate Posture: 
2 20 Top 20 v5: 26.34% Top 20 v6: 0% 
Controls: Host Control Instances. Policies: 
224 448 2 
Report Statistics 


Requirement Posture 


Requirement Posture for CIS Top 20 Critical Security Controls (Top 20 v5) v5 


CSC #1 Inventory of Authorized and Unauthorized Devices 


CSC #2 Inventory of Authorized and Unauthorized Software 


CSC #3 Secure Configurations for Hardware and Software 


CSC #4 Continuous Vulnerability Assessment and Remediation 


In the Detailed Report section of the report, you can view and drill down to view posture of 
the control objectives. 


Detailed Report 


v Access Control (AC) 


" AC -3 Access Enforcement 


¥ Mandates (1) 


a Controls (9) 


Y 1426 Status of the ‘System objects: Strengthen default permissions of intemal system objects’ setting 


# Policy IP Tracking Asset Group Asset Tag Technology 
windows 2012 R2, 
10.10.10.10- 
CIS Benchmark for Microsoft Windows Server 40.10.10.10. 101010250, BU1, Windows 02/20/2017 at 
1. 2012 R2, v1.1.0, [Scored, Domain Controller) 10.10.10.86 JEE  PCTAGS,AGTest, Server2012 CRITICAL 13:24:32 | Pass | 
Ru Geck Included, G1, R2 (GMT-0530) 
windows 7-Aanal, 
Windows Xp -aanal 
windows 2012 
Server, 
CIS Benchmark for Microsoft Windows Server annk BO pyg, Windows 02/20/2017 at 
2. 2012R2,v1.1.0,[Scored, Domain Controller] 10.101088 DS? 12101010. 101010250. BUN. ener 297 CRITICAL 13:25:09 
Ru n R2 (GMT+0530) 


Included, windows 
7-Aanal, Windows 
Xp -aanal 


> 2181 Current list of Groups and User Accounts granted the ‘Access this computer from the network’ right 
> 2185 Current list of Groups and User Accounts granted the ‘Allow logon through Terminal Services’ right 


2196 Current list of Groups and User Accounts granted the Dem Access to this computer from the network’ right 
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Reporting Overview 
STIG Based Reports 


STIG Based Reports 


Launch the STIG (Security Technical Implementation Guides) Based Report to view the 
compliance and security posture of the organization in terms of the Defense Information 
Systems Agency (DISA). This report helps you to view control posture as per the Rule IDs 
or Vuln IDs provided in the DISA security technical implementation guides. 


To generate a STIG based report, first you need to create a custom STIG based report 
template to create compliance report for the selected DISA STIG policy. Go to Reports 5 
Templates > STIG Template and configure settings. In the template, define all that you 
want to display in your report for example which STIG postures and STIG severity. You can 
view results as per Rule IDs or Vuln IDs provided in the DISA benchmarks 


Then, to run the report, go to Reports > New > Compliance Report > STIG Based Report. 
Select the STIG template you created, and choose a DISA STIG policy to assess controls 
and get a view of compliance posture against the selected policies. 


| Dashboard Policies Scans Reports Exceptions 


nili Reports Reports Schedules Policy Summary 


New "e Search | | Filters w 


C View Report T Compliance Report > Authentication Report led Rana 


SCAP Report b Policy Report 

Download... Interactive Report 
Scorecard Report 
Mandate Based Report 
STIG Based Report 


Depending on what you select in the report layout while creating the custom STIG based 
report template, a report is generated in CSV format. 
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Reporting Overview 
Compliance Scorecard Report 


Compliance Scorecard Report 


The Compliance Scorecard Report allows you to: 


Report on multiple policies in a single report (up to 20 policies) 


Report your compliance score across selected policies for specific environments 
(up to 10 asset groups or asset tags) 


View compliance status by policy, by asset group/tag, by technology and by 
criticality 


Include a breakdown of compliance status changes over a period of time 


Get a list of the top hosts and controls that changed during your selected 
timeframe 


The Scorecard Report requires a scorecard report template. The template settings identify 
the sections you want to include in the report and the timeframe you want to report on 
(from the last 1 day to the last 90 days). The service provides a global “Compliance 
Scorecard Report” template to help you get started. You can use this template as is or 
customize the settings. 


Here's a look at the compliance scorecard report template. 


You'll notice that there are multiple ways you can report on your compliance data - by 
policy, by asset group/asset tag, by technology and by criticality. For each section, you can 
include the current compliance status plus details about compliance status changes. 
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New Compliance Scorecard Report Template 


General Information 


Timeframe Selection 


Layout > Only report changes that occurred in my timeframe. 


Display 


Timeframe: * Last 30 days 


Criticality Selection 


Criticality: * All 


Sections 


[F]UNDEFINED V]MINIMAL [V]MEDIUM 
(¥SERIOUS 


(V)CRITICAL [¥)URGENT 


Layout 


Launch Help 


[F] Report Summary 
II Failures by Criticality 
Report Details 
[9] Overall Compliance by Policy 
[9] Changes by Policy 
II and by asset groupitag 
[7] and by technology 
[9] Overall Compliance by Group/Asset Tag 
II Changes by Asset Group/Asset Tag 
Wi and by policy 
[F] and by technology 
IN Overall Compliance by Technology 
II Changes by Technology 
[Z] Overall Compliance by Criticality 
Ni Changes by Criticality 
II and by policy 
[F] and by asset groupitag 
[7] and by technology” 
Show me the top| 10 HA 
[F] Hosts with changes 
[W] Controls with changes 
Showmethetop| 5 [x] 
II Failed controls by criticality 


Report Title 
Summary 


Report Details 
Policies 


Asset Groups 


Techonlogies 


Criticality 


@x 


Reporting Overview 


Compliance Scorecard Report 


To run the Scorecard Report, select New > Compliance Report > Scorecard Report. Choose 
a template and format. Then select up to 20 policies and up to 10 asset groups or asset 
tags for your report. Your report will only include compliance evaluation data for hosts 
that match at least one of the selected policies and at least one of the selected asset 
groups. Click Run. 


Sample Scorecard Report: 


Here’s a look at the summary section of the scorecard report. You can quickly see your 
overall compliance score across the selected policies, the number of control instances 
with changes, the number of hosts with changes, the number of technologies with hosts 
that changed, and more. 
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Reporting Overview 
Compliance Scorecard Report 


Policy Compliance Report 


My Scorecard Report 


About Report Compliance Scorecard Report 


Report Tik: Compliance Scorecard Report Company: Qualys 
06/30/2017 at 15:32:39 (GMT#0530) Address: 


HA 
User Role: Manager 


Report Settings 


Template: Compliance Scorecard Report Report Timeframe:05/31/2017-06/30/2017 

#of Policies: 1 Criticality: UNDEFINED, MINIMAL, MEDIUM, 
SERIOUS, CRITICAL, URGENT 

Asset Groups: Windows XP,Windows 10 

Asset Tags: 


1) Total Policies 


0 Technologies with Hosts Charged 


Here’s an example of the compliance by policy section where you get your current 
compliance status for each policy with the number of passed and failed control instances, 
plus the detailed changes for each policy. 


48 


Filey Help: 


Reporting Overview 


Compliance Scorecard Report 


My Scorecard Report 


My Windows XP Policy 


Win Server 2003 


o 


By Policy 


My Windows Policy 
My Windows XP Policy 
Win Server 2003 


DETAILS (05/24/2017-06/26/2017) 


By Policy and Asset Group 


Policy Asset Group 
My Windows Policy All Windows Hosts 
Windows XP Targets 
My Windows XP Policy All Windows Hosts 
Windows XP Targets 
Win Server 2003 All Windows Hosts 
West Coast 
By Policy and Technology 
Policy Technology 
My Windows Policy Windows 2000 
Windows XP desktop 
Windows 2003 Server 
My Windows XP Policy Windows XP desktop 
Win Server 2003 Windows 2003 Server 


Compliance by Policy (05/24/2017-06/26/2017) 


30 40 50 60 70 80 90 100 
x 
E Passed MB Failed Error 
Control Hosts Passed Failed Error Compliance 
Instances Total Scanned Changed Total Changed ` Total Changed ` Total Changed % 
22 8 6 o 22 H H H H 100% 
892 5 4 0 845 o 46 o 94.73% 
3,117 3 1 1 2586 4. 527 3 4 82.96% 
Control Hosts Passed Failed Error Compliance 
Instances Total Scanned Changed Total Changed Total Changed Total Changed % 
16 8 5 H 16 H H o o 0 10095 
6 3 3 o 6 o H o o 0 100% 
557 5 4 0 525 o 31 o 1 0 94.25% 
335 3 3 o 320 H 15 o o 0 9552% 
2337 3 1 1 1897 4 437 3 3 0 81.17% 
780 1 H o 689 o 90 o 1 0 88.336 
Control Hosts Passed Failed Error Compliance 
Instances Total Scanned Changed Total Changed Total Changed Total Changed % 
2 1 1 H 2 H H o o o 10095 
16 5 4 o 16 H H o o o 100% 
4 2 1 H H H H o o 0 10096 
892 5 4 o 845 H 46 o 1 0 94.73% 
3,117 3 1 1 2586 4 527 3 4 0 82.96% 
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Reporting Overview 
Control Pass/Fail Report 


Control Pass/Fail Report 


The Control Pass/Fail Report identifies the pass/fail status for a specific control. When 
running this report, identify the policy and control you want to report on. Hosts included 
in the report are listed with a pass or fall status for the specified control. 


To run the Control Pass/Fail Report, click the Reports tab and select New > Compliance 
Report > Interactive Report and then select Control Pass/Fail and click Run. 


New Compliance Interactive Report Launch Help 


Select an interactive report from the list below. 


Real-time Reports 


Report Types Preview 
Control Pass/Fail a 
Individual Host Compliance QUALYS ENTERPRISE 


Control Pass/Fail Report May 03, 2007 


Description 


The Control Pass/Fail Report identifies the compliance status for a particular 
control. When you run this report, you'll specify a policy and a control from that 
policy to report on. Hosts are listed with a pass or fail status for the specified 


x control 
Er » 


Run Cancel 


The report setup wizard prompts you to select report settings. 


Report Setup Launch Help 


Layout Policy Windows XP 


Asset Group Windows XP 


Asset Tags 


Include hosts that have Any ` of the tags below. Add Tag 


© Windows xP 


Do not include hosts that have | Any ` of the tags below. Add Tag 


Control: Status of the Minimum Password Length’ setting o Select 


1 Select a policy in your account and a control within that policy. 


2 Select an asset group that is assigned to the policy (this option is available to 
Managers and Auditors) to report on. 
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3 Click Run to start report generation. 


Reporting Overview 
Control Pass/Fail Report 


The completed report appears in the same window. Note that this report is dynamically 
generated and it is not saved on your reports list. 


Sample Control Pass/Fail Report: 


Report Results 


Pie xw ` View v 


Actions: | Request Exception |: 


Control PassiFail Report 
June 30, 2017 


06/30/2017 at 15:47:33 (GMT+0530) 


Summary 


Policy Windows XP 
CID: 1071 
Control Reference - 
Control: Status of the ‘Minimum Password Length’ setting 
Control Criticality: URGENT 
Asset Group: Windows XP 
Asset Tags: Included ( any ): 
Windows XP 


Excluded ( any ): 


Asset Group Information 

Title: Windows XP Business Impact 
IPs: 10 Division: 
Domains: 0 Function: 

Users 1 Location: 


Results 
1.3 Status of the 'Minimum Password Length' setting 


Hosts. 

In Compliance: 

Not in Compliance: 
Errors in Compliance: 
Display Results 

Sort By: 

Policy Modified: 

Policy Last Evaluated: 


High 


8 
3 (37.5%) 


Passed, Failed and Error 

IP Address 

01/07/2017 at 04:52:12 (GMT+0530) 
06/01/2017 at 05:21:56 (GMT+0530) 


Collateral Damage Potential: Not Defined 
Target Distribution Not Defined 
Confidentiality Requirement: Not Defined 
Integrity Requirement: Not Defined 
Availability Requirement: Not Defined 


IP Address Tracking DNS Hostname NetBIOS Hostname Instance OS 


JI 10.10.10.28 aanaltest 


10.10.10.28 xpsp3-10-28test 


10.10.10.180 winxp3-10-180.patch. 
ad.vuin.ga.qualys.com 


10.10.24.93 xpsp2-24-93 


Windows XP Servi Failed 


ce Pack 3 


Windows XP Servi Failed 


ce Pack 3 


Windows XP Servi Failed 


ce Pack 2 


Windows XP Servi Passed 


Posture 


Exception 


Request 


Request 


Request 


The Posture column identifies the status for the control on each host. Passed indicates 
that the expected value defined in the policy for the control matches the actual value 
returned during the last compliance scan on the host. Failed indicates that the expected 
value defined in the policy for the control does not match the actual value returned 
during the last compliance scan on the host. Passed indicates that the host is exempt 
from the control. This means that an exception was requested and accepted for the 


control on the host. 
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Reporting Overview 
Individual Host Compliance Report 


Individual Host Compliance Report 


The Individual Host Compliance Report identifies the compliance status for a specific 
host. When running this report, identify the policy and host you want to report on. Each 
control from the policy that is applicable to the host is listed with a pass or fail status. 


To run the report, click the Reports tab and select New > Compliance Report > Interactive 
Report and then select Individual Host Compliance and click Run. 


New Compliance Interactive Report Launch Help 


Select an interactive report from the list below. 


Real-time Reports 
Report Types Preview 
Control Pass/Fail E) K3 
QUALYS ENTERPRISE 
Individual Host Compliance Report May 03, 2007 


Individual Host Compliance 


Results E 


Description 


The Individual Host Compliance Report identifies the compliance status for a 
particular host. When you run this report, you'll specify a policy and a single host 
to report on. Each control from the policy that is applicable to the host is listed 
A with a pass or fail status for the host. 
» 


Run Cancel 


The report setup wizard prompts you to select report settings. 


Report Setup Launch Help 


Layout Policy Windows XP { 
Asset Group New windows host he 
Asset Tags: 
Include hosts that have Any (v| of the tags below. Add Tag 


@ Windows XP 


Do not include hosts that have | Any |v; of the tags below. Add Tag 
IP Address: 10.10.10.28 Q Select 
Run Cancel 


1 Select a policy in your account. 


2 Select an asset group that is assigned to the policy (this option is available to 
Managers and Auditors), and then click the Select link to select a host (IP address) 
to report on. 
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Reporting Overview 
Managing exceptions 


3 Tell us whether you want to show controls that passed for the host, that failed for 
the host, or both. You can also filter the report by criticality levels. 


4 For Sort by, specify how you want hosts to be sorted. You may select one of these 
options: Order (the order of the controls in the policy), Control, Category, Posture, 
Exception (status). 


5 Click Run to start the report generation. 


Sample Individual Host Compliance Report: 


Summary 
Policy Windows XP 
Asset Group New windows host 
Asset Tags: Included ( any ) 
Windows XP 

Excluded ( any ) 
IP Address: 10.10.10.28 
Tracking Method: DNS Hostname 
Controls: 663 
In Compliance: 479 (71.71%) 
Not in Compliance: 184 (27.54)% 
Errors in Compliance: 5 (0.75%) 
Display Results: Passed, Failed and Error 
Criticality Filter: UNDEFINED,MINIMAL MEDIUM,SERIOUS,CRITICAL,UR 


Sort By Order 
Policy Modified 01/07/2017 at 04:52:12 (GMT+0530) 
Policy Last Evaluated: 06/01/2017 at 05:21:56 (GMT+0530) 


Results 

10.10.10.28 Windows XP Service Pack 3 
IP Address: 10.10.10.28 Owner. 

DNS Name: Location 


NetBIOS Name: XPSP3-10-28 Function 
Windows XP Service Pack 3 Asset Tag 


OS: 
Tracking Method: DNS Hostname 


Order CID Reference Control Category Posture Criticality Exception 
14 1052 Status of the ‘Devices: Allowed to format Access Control Requ Passed URGENT 
and eject removable media’ setting (NTF irements 
S formatted devices) 
12 1059 Status of the ‘Indexing’ service Access Control Requ Failed URGENT Request 
irements 
13 1071 Status of the ‘Minimum Password Length’ Access Control Requ Failed URGENT Request 
setting irements 
14 1072 Status of the ‘Minimum Password Age's Access Control Requ Passed [ meom | 
etting irements 
15 1073 Status of the 'Maximum Password Age's Access Control Requ Failed URGENT Request 


In the Results section, click on a control in the list to display scan results for the control 
on the host. The Expected value is the value as defined in the policy. The Actual value 
represents the compliance data retrieved from the most recent compliance scan. The 
service compares the actual value to the expected value to determine the compliance 


status. 


Managing exceptions 


Users may request exceptions for some hosts/controls in a selected policy to support a 
business need. For example a compliance policy may have a control that states the service 
FTP is not allowed on a server, however there may be a business requirement to exempt 
one or more hosts from this particular control in the policy. Users submit exceptions for 
one or more hosts/controls in a policy that failed compliance. When approved, 
compliance reports do not fail compliance for the hosts/controls in the exception request 
for a period of time defined in the request. 
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Reporting Overview 
Managing exceptions 


The exceptions workflow allows all users to submit and view exception requests and their 
status. Managers and Auditors can approve exception requests, Unit Managers may 
approve requests submitted by users in their business unit when this privileges is granted 
in their user account. User actions on exceptions are logged in the exception history. 


You request exceptions from these interactive reports: Control Pass/Fail Report and 

Individual Host Compliance Report. In the report results, simply identify the control/host 
that needs an exception and select the check box next to each control/host that you want 
to include in the request and click the Request Exception button at the top of the report. 


See all exceptions on your hosts in the Exceptions tab. Select Info from the Quick Actions 
menu for any exception to view complete details, including the related policy, control and 
technology, plus the expected control value as defined in the policy and the actual value 
returned during the compliance scan. You can also view a history log for the exception. 


| Policy Compliance v 


Dashboard Policies Scans Reports Exceptions Assets Users 


BSCE Exceptions 


New w | | Search| | Filters w |< Inactive Exceptions | 


# IP Address Tracking Technology Policy a CID Control Criticality 


7 10.10.30.159 TIP Red Hat Enterprise Linux 5.x RHEL 5,6,7 1071 Status of the ‘Minimum Password Length’ 
setting 


URGENT 


2 10.410.30.159 IP Red Hat Enterprise Linux 5.x RHEL 5,6,7 1073 Status of the ‘Maximum Password Age’ 
setting (expiration) / Accounts having the 


URGENT 


‘password never expires’ flag set 
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Tips and Tricks 
Add Auditor Users 


Tips and Tricks 


Add Auditor Users 


Create users with the Auditor user role to perform compliance management tasks. 
Auditors can create and manage compliance policies for the subscription, generate 
reports on compliance data and manage exception requests. Auditors are automatically 
part of the Unassigned business unit and have permission to all compliance hosts defined 
for the subscription. Note that Auditors only have visibility into compliance data (not 
vulnerability data). Auditors cannot perform any vulnerability management functions. 


To add an Auditor, select New 5 User above the user list. Using the wizard, provide general 
information such as user name and address. continue to the User Role section and select 
Auditor from the User Role menu. 


Launch Help x 


General Information 
User Role 


User Role > User Role: * Auditor S 


Options Allow accessto: Rou M ap 
Business Unit; * | Unassigned z 


New Business Unit 


The first time the Auditor logs in they will see the Quick Start with links to compliance 
management features. An Auditor can create asset groups including compliance hosts, 
create a policy, create policy report templates and run compliance reports. 


Customize Frameworks for the Subscription 


When you view technical control information the details include a list of frameworks, 
standards and regulations that the control maps to. Manager users have the option to 
customize the list to only display selected frameworks. This setting is made at the 
subscription level and affects the list of frameworks displayed to all users in technical 
control details and in PC reports. By customizing the list to only select frameworks, you 
can reduce the size of your reports. 


To customize the frameworks list, go to Policies, click the Setup tab, and then select 
Frameworks. Select the option Customize list of frameworks and then select the 
frameworks you want to display in the subscription. Additionally, any user with 
compliance management privileges can customize the list of frameworks in their 
compliance policy reports. This setting is made in the policy report template. 
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Frameworks Setup 


Frameworks Setup 
The following options will be applied 
©All available frameworks 


@ Customize list of frameworks 
Add frameworks: Search... 
CIS - Windows 2003, 1.2 [Member Server] (10/2005) v. 1.2: 2005 


CIS - Windows 2003, 2.0 [Member Server] (10/2007) 2.0 
CIS - Windows 2008, 1.0.0 (03/2010) 1.0.0: 2010 


Cancel 


Customize Technologies for the Subscription 


CIS - Windows XP Professional Operating System Legacy, Enterprise, and S 


LaunchHelp [Al x 


Add All | Remove All 


Remove 
Remove 
Remove 


Remove 


Save 


Tips and Tricks 


Customize Technologies for the Subscription 


You can hide the technologies that you do not use on a regular basis. By hiding these 
technologies, Manager users ensure that you no longer need to go through the whole list 
of all the available technologies to select the ones you want. This is especially useful while 
searching controls by technologies. Only the controls related to the preferred technologies 
are displayed and are available for search. 


To customize the technologies list, go to Policies, click the Setup tab, and then select 
Technologies. Create a list of preferred technologies that should be displayed. For 
example, let's say you're interested only in Windows. You add all the Windows 
technologies to your preferred list. All other technologies like Unix, Sybase, Solaris, etc will 


be hidden. 


Technologies Setup 


Technologies Setup 


All technologies are available when creating policies and viewing controls. Choose to display fewer technologies by 


creating a preferred technologies list. 


Display all technologies 
@ Display my preferred technologies 


Add technologies 


Windows 2003 Server 


Windows 2008 Active Directory 
Windows 2008 Server 

Windows 2012 R1/R2 Active Directory 
Windows 2012 Server 

Windows 7 


Windows 8. 


Add all shown 
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Contact Support 
Review & Customize Control Criticality 


Review & Customize Control Criticality 


Control Criticality provides ratings for controls, including the ability to customize ratings 
at the control level and at the policy level. Criticality appears in control details - in the 
controls list, in your policies and reports. We've defined 5 criticality levels ranging from 
Minimal to Urgent. You can rename these levels and change their colors if you want (go to 
PC > Policies > Setup and select Control Criticality Levels). 


Control Criticality Setup 


Control Criticality Levels 


Define settings for control criticality levels that will appear to all users when viewing control information. Each control is 
assigned one criticality level 


MINIMAL 
MEDIUM 

SERIOUS 
CRITICAL 


URGENT 


Contact Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 
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